HOMEVULNERABILITIESCVE-2026-43500
HIGHCISA KEVIN THE WILD

CVE-2026-43500

Published: May 11, 2026· Updated: May 17, 2026

7.8
CVSS v3.1
EPSS:0.01%probability of exploitation in 30 daysPercentile:1.1th

Official Description

In the Linux kernel, the following vulnerability has been resolved:

rxrpc: Also unshare DATA/RESPONSE packets when paged frags are present

The DATA-packet handler in rxrpc_input_call_event() and the RESPONSE

handler in rxrpc_verify_response() copy the skb to a linear one before

calling into the security ops only when skb_cloned() is true. An skb

that is not cloned but still carries externally-owned paged fragments

(e.g. SKBFL_SHARED_FRAG set by splice() into a UDP socket via

__ip_append_data, or a chained skb_has_frag_list()) falls through to

the in-place decryption path, which binds the frag pages directly into

the AEAD/skcipher SGL via skb_to_sgvec().

Extend the gate to also unshare when skb_has_frag_list() or

skb_has_shared_frag() is true. This catches the splice-loopback vector

and other externally-shared frag sources while preserving the

zero-copy fast path for skbs whose frags are kernel-private (e.g. NIC

page_pool RX, GRO). The OOM/trace handling already in place is reused.

NVD Source

Technical Analysis

CVE-2026-43500 requires local access, meaning attackers must already have a foothold on the target system.

Exploitation requires low privileges, which limits the exposure to scenarios where an attacker has already gained initial access.

A successful exploit results in complete confidentiality breach (data exposure), full integrity compromise (data manipulation), availability disruption (denial of service), with a CVSS base score of 7.8.

CISA has added CVE-2026-43500 to the Known Exploited Vulnerabilities (KEV) catalog, confirming active exploitation in the wild. U.S. federal agencies are required to patch this within the mandated timeframe, and all organizations should treat remediation as urgent.

CVSS v3.1 Vector Breakdown

Exploitability
Attack VectorLocal
Attack ComplexityLow
Privileges Req.Low
User InteractionNone
ScopeUnchanged
Impact
ConfidentialityHigh
IntegrityHigh
AvailabilityHigh
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Affected Vendors & Products

Linux1 product
linux kernel
Source: NVD CPE · 3 total CPE entries

Exploit & PoC Resources

ACTIVE EXPLOITATIONConfirmed exploitation in the wild
External links open in a new tab. Always verify in a controlled environment before use.

Official Patches & Advisories

News & Research Mentioning CVE-2026-43500

New ‘Dirty Frag’ Linux Vulnerability Possibly Exploited in Attacks
SecurityWeek· May 11, 2026

Also called Copy Fail 2 and tracked as CVE-2026-43284 and CVE-2026-43500, the exploit was disclosed before a patch was released. The post New ‘Dirty Frag’ Linux Vulnerability Possibly Exploited in Attacks appeared first on SecurityWeek. [xlite_meta score:53 src:SecurityWeek xlite_fp:118e916be01802bcca136a576e89474e9773fbe402418644bc1826bf9c1c5b2e]

All References (6)

Quick Facts

CVE IDCVE-2026-43500
CVSS Score7.8 / 10
SeverityHIGH
CISA KEVYES — Active Exploitation
ExploitIN THE WILD
EPSS (30d)0.01%
Affected1 vendor
PublishedMay 11, 2026

Known Threat Actors

wa
financial
pear
financial
core
financial
frag
financial

Recommended Actions

  • Apply vendor patches immediately
  • Monitor CVE-2026-43500 in threat intel feeds
  • Review IDS/IPS signatures for exploitation attempts
  • !CISA KEV: Federal agencies must patch per BOD 22-01 timeline
  • !Active exploitation confirmed — treat as P1
Data sourced from NVD (NIST), CISA KEV, and EPSS (FIRST). Analysis generated by CTIWATCH.COM. CVE data is provided under the NVD usage policy.