CVE-2026-43089 Linux CVE debrief

Who should care

Linux kernel administrators, distro maintainers, and teams operating systems that use XFRM/IPsec-related kernel functionality should pay attention to this issue, especially where kernel updates are centrally managed or delayed.

Technical summary

According to the CVE description, struct xfrm_usersa_id contains a one-byte padding hole after the proto field. In build_mapping(), that hole was not cleared before the structure was copied out to userspace, creating a small kernel info leak. The referenced kernel fixes address this by zero-initializing the structure before populating its fields.

Defensive priority

Patch priority should be moderate and timely. This is an information leak rather than a code-execution issue, but it still warrants prompt kernel updates because it exposes kernel memory contents to userspace.

Recommended defensive actions

• Apply the kernel update or backport that includes the build_mapping() zero-initialization fix.
• Verify whether your distro or kernel stream has already incorporated the referenced stable kernel commits.
• Prioritize deployment on systems that rely on XFRM/IPsec functionality or where local users can trigger kernel networking paths.
• Track the CVE record and vendor advisories for any later clarification of affected versions or severity.

Evidence notes

The supplied CVE description states: "xfrm_user: fix info leak in build_mapping()" and explains that a one-byte padding hole in struct xfrm_usersa_id was not set to zero before copying to userspace. The source record is from NVD, marked "Undergoing Analysis," with official kernel.org stable references as remediation evidence. CVE publishedAt and modifiedAt are both 2026-05-06T10:16:22.200Z and 2026-05-06T13:08:07.970Z respectively.

Official resources