PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-43284 Linux CVE debrief

CVE-2026-43284 is a Linux kernel flaw in XFRM ESP processing for UDP-encapsulated traffic. When IPv4/IPv6 datagram splice paths failed to mark pipe-backed pages as shared, ESP input could decrypt data in place on skbs that were not privately owned, creating a high-impact memory corruption risk. NVD rates the issue 8.8 High and lists fixed stable kernel branches.

Vendor
Linux
Product
CVE-2026-43284
CVSS
HIGH 8.8
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-08
Original CVE updated
2026-05-11
Advisory published
2026-05-08
Advisory updated
2026-05-11

Who should care

Linux kernel maintainers, distro security teams, and operators of systems that use IPsec/ESP over UDP—especially where MSG_SPLICE_PAGES, UDP datagram append paths, or pipe-backed packet construction may occur.

Technical summary

The bug stems from a mismatch between how shared pipe pages are marked and how ESP input decides whether it can safely modify packet data in place. TCP already sets SKBFL_SHARED_FRAG after skb_splice_from_iter(), but the IPv4/IPv6 datagram append paths did not set that flag when splicing pages into UDP skbs. As a result, an ESP-in-UDP packet built from shared pipe pages could look like an ordinary uncloned nonlinear skb, causing ESP input to take the no-COW fast path and decrypt over externally backed data. The fix marks IPv4/IPv6 datagram splice frags with SKBFL_SHARED_FRAG and makes ESP input fall back to skb_cow_data() when the flag is present; private nonlinear frags still use the existing fast path. The supplied corpus also states that ESP output is intentionally unchanged.

Defensive priority

High. The record assigns CVSS 3.1 8.8 High with AV:L/PR:L and scope changed, which is consistent with serious kernel-level impact. Prioritize patched kernel deployment on systems that may process ESP-in-UDP traffic or use pipe-backed skb construction.

Recommended defensive actions

  • Upgrade to a kernel release that includes the stable fixes referenced by NVD for your branch.
  • Treat hosts running IPsec/ESP over UDP as higher priority, especially if workloads use MSG_SPLICE_PAGES or other pipe-to-skb data paths.
  • Map the affected upstream version ranges in NVD to your vendor kernel packages and confirm the fix is present before declaring systems remediated.
  • If immediate upgrading is not possible, minimize local access to affected systems and monitor kernel/IPsec behavior for anomalies until patching is complete.

Evidence notes

All technical claims here are drawn from the supplied NVD record, its linked kernel.org stable patch references, and the published CVE record. The CVE was published on 2026-05-08 and modified on 2026-05-11; those dates are used for timeline context only. NVD lists affected Linux kernel version ranges from 4.11 through branch-specific fixed releases, and it also includes a third-party exploit/advisory reference; this debrief does not rely on that third-party material. No KEV entry is present in the supplied enrichment data.

Official resources

Published by NVD on 2026-05-08T08:16:43.827Z and modified on 2026-05-11T08:16:08.130Z. The supplied corpus includes upstream stable patch references and an NVD-listed third-party exploit/advisory link.