CVE-2026-43092 Linux CVE debrief

Who should care

Linux system administrators operating high-performance networking with AF_XDP zero-copy sockets; kernel maintainers; network stack developers; security teams monitoring local privilege-required DoS vectors in kernel networking subsystems

Technical summary

The AF_XDP (Address Family eXpress Data Path) socket implementation in the Linux kernel did not validate that the network device MTU would fit within the usable frame space of a zero-copy UMEM pool at bind time. With the introduction of tailroom accounting, a 2KB chunk size may not provide sufficient space for standard 1500-byte MTU frames after headroom and tailroom deductions. The fix adds validation at bind time to ensure the MTU fits within the usable frame size and that hardware can satisfy the MTU given XSK's frame size and the supported Rx buffer chain length (xdp_zc_max_segs). This prevents misconfigurations that could lead to packet handling failures. The vulnerability is local, requires privileges to configure AF_XDP sockets, and results in availability impact only.

Defensive priority

medium

Recommended defensive actions

• Apply kernel patches from stable branches (6.6.136+, 6.12.83+, 6.18.24+, 6.19.14+, or 7.0-rc8+) to ensure AF_XDP bind validates MTU against frame size
• Review AF_XDP socket configurations for MTU/frame size mismatches on systems using zero-copy pools
• Monitor kernel logs for bind-time validation failures after patching
• Validate UMEM chunk sizes account for headroom, tailroom, and MTU requirements in zero-copy deployments

Evidence notes

CVE published 2026-05-06; modified 2026-05-19. Patches available for stable kernel branches 6.6, 6.12, 6.18, 6.19, and 7.0-rc series. CVSS 5.5 (MEDIUM) per NVD. CPE ranges indicate affected versions from 6.6 through 6.6.135, 6.7 through 6.12.82, 6.13 through 6.18.23, 6.19 through 6.19.13, and 7.0-rc1 through rc7.

Official resources