CVE-2026-43464 Linux CVE debrief

Who should care

Kernel and platform teams running Linux systems with the mlx5 driver, especially hosts using XDP multi-buffer programs, legacy RQ, or high-throughput networking on NVIDIA/Mellanox hardware. Cloud operators, network appliance maintainers, and anyone backporting mlx5e/XDP fixes to supported kernel branches should treat this as relevant.

Technical summary

The mlx5e RX path assumed XDP buffer layout would remain stable during program execution, but XDP multi-buffer programs can alter layout via bpf_xdp_pull_data() or bpf_xdp_adjust_tail(). The reported problem is that the driver did not count dropped original fragments for all relevant actions (XDP_TX, XDP_REDIRECT, and XDP_PASS) after an earlier fix changed the accounting logic. According to the supplied description, this can leave the driver with incorrect fragment tracking and a negative pp_ref_count when pages are released. The fix restores page-fragment counting for the original XDP buffer fragments and adjusts how nr_frags is computed for xdp_update_skb_frags_info() when frag_page still points to the original tail.

Defensive priority

High for systems using mlx5e with XDP multi-buffer workloads. The impact is availability-focused, but the kernel warning and refcount corruption indicate a correctness issue that can affect stability. Prioritize if you run exposed networking workloads or have observability of intermittent page-pool warnings.

Recommended defensive actions

• Check whether your kernels fall within the vulnerable NVD ranges: 6.6.115 through before 6.7, 6.12.56 through before 6.13, 6.17.6 through before 6.18, 6.18.1 through before 6.18.19, or 6.19 through before 6.19.9.
• Apply the relevant upstream stable patch(es) linked in the official kernel references or ensure your vendor kernel has backported the fix.
• If you rely on mlx5e and XDP multi-buffer programs, prioritize validation on representative traffic and test for page-pool or refcount warnings after updating.
• Monitor for kernel warnings involving page_pool helpers or mlx5e_page_release_fragmented, as the supplied report shows this is a visible failure mode.
• Track vendor advisories and backport status for your supported kernel branches before scheduling production rollout.

Evidence notes

The vulnerability description states that mlx5e RX legacy RQ fragment counting was incorrect for XDP multi-buffer programs after bpf_xdp_pull_data() or bpf_xdp_adjust_tail(), and that the resulting mismatch can produce a negative pp_ref_count and a kernel warning. NVD marks the CVE as analyzed, severity HIGH, and lists the vulnerable version ranges. The official reference links are kernel stable patch commits, which support the remediation guidance. Published and modified timestamps in the supplied record were used as the CVE timing context.

Official resources