CVE-2026-43500 - RxRPC DATA / RESPONSE skb handling

Official records: NVD - CVE-2026-43500 | CVE Record.

Resolved behavior (kernel.org description)

Per NVD's imported kernel.org text: DATA packets handled in rxrpc_input_call_event() and RESPONSE packets in rxrpc_verify_response() linearized skbs before invoking security ops only when skb_cloned() returned true. Skbs that were not cloned but still carried externally-owned paged fragments (for example fragments flagged SKBFL_SHARED_FRAG via splice into UDP through __ip_append_data, or skbs with skb_has_frag_list()) could fall through to an in-place decryption path binding fragment pages into AEAD/skcipher scatter-gather lists via skb_to_sgvec().

Fix strategy summarized on NVD: broaden the gate so handlers also unshare when skb_has_frag_list() or skb_has_shared_frag() is true, preserving zero-copy fast paths for NIC-private fragments (page_pool RX, GRO).

Metrics and weaknesses

• CWE-787 (Out-of-bounds write) per NVD.
• CVSS 3.1 base score 7.8 HIGH published by NIST / CISA-ADP on NVD; verify vectors on the official entry before governance reporting.

Affected software configuration

NVD lists discrete Linux kernel CPE ranges for CVE-2026-43500; they differ from CVE-2026-43284. Always reconcile both CVEs independently when auditing fleet kernels.

Patches

Multiple stable commits appear under NVD References. Consume fixes via vendor kernels unless you ship custom builds.

Operational notes

RxRPC supports protocols such as Kerberos-mediated AFS traffic in common deployments. Discuss module restrictions with workload owners; details belong under Respond.