CVE-2026-43500
Published: May 11, 2026· Updated: May 17, 2026
Official Description
In the Linux kernel, the following vulnerability has been resolved:
rxrpc: Also unshare DATA/RESPONSE packets when paged frags are present
The DATA-packet handler in rxrpc_input_call_event() and the RESPONSE
handler in rxrpc_verify_response() copy the skb to a linear one before
calling into the security ops only when skb_cloned() is true. An skb
that is not cloned but still carries externally-owned paged fragments
(e.g. SKBFL_SHARED_FRAG set by splice() into a UDP socket via
__ip_append_data, or a chained skb_has_frag_list()) falls through to
the in-place decryption path, which binds the frag pages directly into
the AEAD/skcipher SGL via skb_to_sgvec().
Extend the gate to also unshare when skb_has_frag_list() or
skb_has_shared_frag() is true. This catches the splice-loopback vector
and other externally-shared frag sources while preserving the
zero-copy fast path for skbs whose frags are kernel-private (e.g. NIC
page_pool RX, GRO). The OOM/trace handling already in place is reused.
Risk Analysis
This vulnerability in the Linux kernel's rxrpc component allows an attacker to bypass security mechanisms by manipulating how network packets with paged fragments are handled. The system fails to properly unshare these packets before decryption, leading to potential information disclosure or integrity issues. With a CVSS score of 7.8 (HIGH) and confirmed exploitation in the wild, this flaw poses a significant risk.
Active exploitation of this vulnerability has been observed in the wild, and it is listed in CISA's KEV catalog. The attack vector is local, indicating an attacker would need local access to exploit this flaw.
System administrators should apply the latest security patches for the Linux kernel to address this vulnerability. Specifically, updates for Linux kernel versions 5.3 and 7.1 are available and should be prioritized.
Technical Analysis
CVE-2026-43500 requires local access, meaning attackers must already have a foothold on the target system.
Exploitation requires low privileges, which limits the exposure to scenarios where an attacker has already gained initial access.
A successful exploit results in complete confidentiality breach (data exposure), full integrity compromise (data manipulation), availability disruption (denial of service), with a CVSS base score of 7.8.
CISA has added CVE-2026-43500 to the Known Exploited Vulnerabilities (KEV) catalog, confirming active exploitation in the wild. U.S. federal agencies are required to patch this within the mandated timeframe, and all organizations should treat remediation as urgent.
CVSS v3.1 Vector Breakdown
Affected Vendors & Products
Exploit & PoC Resources
Official Patches & Advisories
News & Research Mentioning CVE-2026-43500
Also called Copy Fail 2 and tracked as CVE-2026-43284 and CVE-2026-43500, the exploit was disclosed before a patch was released. The post New ‘Dirty Frag’ Linux Vulnerability Possibly Exploited in Attacks appeared first on SecurityWeek. [xlite_meta score:53 src:SecurityWeek xlite_fp:118e916be01802bcca136a576e89474e9773fbe402418644bc1826bf9c1c5b2e]
All References (6)
Quick Facts
Known Threat Actors
Recommended Actions
- →Apply vendor patches immediately
- →Monitor CVE-2026-43500 in threat intel feeds
- →Review IDS/IPS signatures for exploitation attempts
- !CISA KEV: Federal agencies must patch per BOD 22-01 timeline
- !Active exploitation confirmed — treat as P1