LiveActive security incident?Get immediate response
CVE Record

CVE-2026-43284: xfrm: esp: avoid in-place decrypt on shared skb frags

In the Linux kernel, the following vulnerability has been resolved: xfrm: esp: avoid in-place decrypt on shared skb frags MSG_SPLICE_PAGES can attach pages from a pipe directly to an skb. TCP marks such skbs with SKBFL_SHARED_FRAG after skb_splice_from_iter(), so later paths that may modify packet data can first make a private copy. The IPv4/IPv6 datagram append paths did not set this flag when splicing pages into UDP skbs. That leaves an ESP-in-UDP packet made from shared pipe pages looking like an ordinary uncloned nonlinear skb. ESP input then takes the no-COW fast path for uncloned skbs without a frag_list and decrypts in place over data that is not owned privately by the skb. Mark IPv4/IPv6 datagram splice frags with SKBFL_SHARED_FRAG, matching TCP. Also make ESP input fall back to skb_cow_data() when the flag is present, so ESP does not decrypt externally backed frags in place. Private nonlinear skb frags still use the existing fast path. This intentionally does not change ESP output. In esp_output_head(), the path that appends the ESP trailer to existing skb tailroom without calling skb_cow_data() is not reachable for nonlinear skbs: skb_tailroom() returns zero when skb->data_len is nonzero, while ESP tailen is positive. Thus ESP output will either use the separate destination-frag path or fall back to skb_cow_data().

HighCVSS 8.8Not KEV-listedUpdated
Glexia's TakeAutomated analysis

Security readout for executives and security teams

CVE-2026-43284 is a high-severity Linux kernel memory corruption issue in IPsec ESP-in-UDP handling. A local, low-privileged user may be able to cause sensitive kernel data corruption with high confidentiality, integrity, and availability impact. Treat exposed multi-user Linux systems and shared hosting/container hosts as priority patch candidates. Linux systems running affected kernel versions are the primary exposure. Risk is highest where untrusted local users, workloads, containers, or shared accounts can execute code. Exact exposure depends on distribution backports and whether the running kernel includes one of the stable fixes. Prioritize remediation in the next patch cycle for general Linux servers, and expedite for shared or multi-tenant systems. The issue is local, but its potential impact is broad once an attacker has any foothold. Mitigation focus: Apply the relevant Linux kernel stable or distribution security update.; Prioritize shared Linux hosts, container platforms, and multi-user systems.; Check Red Hat or other vendor guidance for backported fixed kernel builds..

Prepared

Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.

Potential ATT&CK relevance

Conservative CVE-to-ATT&CK context

These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.

ATT&CK lookup starting points

Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.

cwe · low confidence lookup

CWE-123: Exact CWE lookup

Use the exact CWE identifier as the starting point before reviewing related ATT&CK behavior. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.

Open ATT&CK lookup
cve · low confidence lookup

CVE-2026-43284 mapping review

Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.

Open ATT&CK lookup
Vulnerability profileCVE Program record
Severity
High
CVSS
8.8 (3.1)
Known Exploited
No
Published

Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Official CVE source material

CNA and ADP enrichment extracted from CVE v5

These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.

3CVSS vectors
5Timeline events
3ADP providers
54Source links

SSVC decision data

CISA-ADPCISA Coordinator
Timestamp
Version
2.0.3
Exploitation: pocAutomatable: noTechnical Impact: total

CVSS vector scores

3 official scores

We collect every scored CVSS vector available in the official CNA and ADP containers. When more than one version is present, the table keeps the source vectors side by side instead of collapsing them into the highest score.

ScoreVersionSeverityVectorExploitImpactSource
8.8CVSS 3.1HighCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H26Linux
7.8CVSS 3.1HighCVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H1.16CISA-ADP
7.8CVSS 3.1HighCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H1.85.9redhat-SADP

Vulnerability scoring details

Base CVSS 3.1 score

8.8High
CVSS 3.1 vector shape for CVE-2026-43284Attack VectorAttack ComplexityPrivileges RequiredUser InteractionScopeConfidentiality ImpactIntegrity ImpactAvailability Impact

Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Attack Vector
NetworkAdjacentLocalPhysical
Attack Complexity
LowHigh
Privileges Required
NoneLowHigh
User Interaction
NoneRequired
Scope
ChangedUnchanged
Confidentiality Impact
HighLowNone
Integrity Impact
HighLowNone
Availability Impact
HighLowNone

Vulnerability timeline

Timeline events are normalized from CVE metadata, CNA source timelines, ADP timelines, and KEV metadata when present.

  1. CVE reservedCVE Program

    The CVE ID was reserved by the assigning CNA.

  2. ADP timelineredhat-SADP

    Made public.

  3. ADP timelineredhat-SADP

    Reported to Red Hat.

  4. CVE publishedCVE Program

    The CVE record was published.

  5. CVE updatedCVE Program

    The CVE record metadata indicates this as the latest update time.

ADP provider summaries

CVECVE Program Container
CISA-ADPCISA ADP Vulnrichment
cvssV3_1other:ssvc
redhat-SADPkernel: "Dirty Frag" ESP XFRM variant is a new universal Local Privilege Escalation (LPE) vulnerability in the Linux kernel
other:Red Hat severity ratingcvssV3_1
  • 2026-05-07T15:56:04.044Z: Reported to Red Hat.
  • 2026-05-07T00:00:00.000Z: Made public.

Source materials

Affected products

Products and packages named in the record

VendorProductVersion / packageStatus
LinuxLinuxcac2661c53f35cbe651bef9b07026a5a05ab8ce0, cac2661c53f35cbe651bef9b07026a5a05ab8ce0, cac2661c53f35cbe651bef9b07026a5a05ab8ce0, cac2661c53f35cbe651bef9b07026a5a05ab8ce0, cac2661c53f35cbe651bef9b07026a5a05ab8ce0, cac2661c53f35cbe651bef9b07026a5a05ab8ce0, cac2661c53f35cbe651bef9b07026a5a05ab8ce0, cac2661c53f35cbe651bef9b07026a5a05ab8ce0, cac2661c53f35cbe651bef9b07026a5a05ab8ce0, cac2661c53f35cbe651bef9b07026a5a05ab8ce0unaffected
LinuxLinux4.11, 0, 5.10.255, 5.15.205, 5.15.206, 6.1.171, 6.1.172, 6.6.138, 6.12.87, 6.18.28, 7.0.5, 7.1affected
Weakness

CWE details

CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.

CWE-123 · source CWE mapping

Write-what-where Condition

Write-what-where Condition represents a recurring weakness pattern that can create exploitable paths when design, validation, or implementation controls are missing.