CVE-2026-43284 - xfrm ESP input / shared skb fragments

Official records: NVD - CVE-2026-43284 | CVE Record.

Resolved behavior (kernel.org description)

Per NVD's imported kernel.org text: MSG_SPLICE_PAGES can attach pipe-backed pages directly to an skb. TCP marks such skbs with SKBFL_SHARED_FRAG after splice so later mutating paths can copy privately; IPv4/IPv6 UDP datagram append paths historically omitted that flag when splicing into UDP skbs. ESP-in-UDP packets built from shared pipe pages could then resemble ordinary nonlinear skbs, letting ESP input decrypt in place over data not privately owned by the skb.

Fix strategy summarized on NVD: mark IPv4/IPv6 datagram splice fragments with SKBFL_SHARED_FRAG (matching TCP) and make ESP input fall back to skb_cow_data() when the flag is present so externally backed fragments are not decrypted in place.

Metrics and weaknesses

• CWE-123 (Write-what-where condition) appears on the NVD weakness table (CISA-ADP source).
• Multiple CVSS 3.1 base scores appear on NVD (kernel.org CNA vs CISA-ADP). Quote the vector that matches your risk program; always cite NVD directly for audits.

Affected software configuration

Use the Known affected software configurations / CPE tables on NVD; they change as enrichment completes. Do not infer coverage from blogs alone.

Patches

Stable-tree commits are linked from NVD References (kernel.org). Follow your distro's backported packages rather than cherry-picking commits manually unless you maintain a custom kernel.

Operational notes

ESP functionality underpins many IPsec VPN stacks. Temporary module restrictions may trade availability for risk reduction; coordinate with networking owners and vendor guidance on Respond.