PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-43465 Linux CVE debrief

CVE-2026-43465 is a critical Linux kernel issue in the mlx5e RX path. When XDP multi-buffer programs change an XDP buffer’s layout, the driver can fail to count dropped fragments correctly for striding RQ, leading to page fragment reference-counting errors and kernel warnings during RX teardown. The supplied record says the bug affects XDP_TX, XDP_REDIRECT, and XDP_PASS handling and was found by the drivers/net/xdp.py selftest.

Vendor
Linux
Product
Unknown
CVSS
CRITICAL 9.8
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-08
Original CVE updated
2026-05-20
Advisory published
2026-05-08
Advisory updated
2026-05-20

Who should care

Administrators and vendors supporting Linux kernels with the mlx5 driver, especially systems using XDP multi-buffer programs and striding RQ. Security teams should prioritize hosts that rely on high-performance networking paths, RDMA/NIC-adjacent deployments, or custom kernels that may carry mlx5 backports.

Technical summary

The issue arises after a prior mlx5 fix corrected an assumption that XDP buffer layout never changes during program execution. In this case, XDP programs can call bpf_xdp_pull_data() or bpf_xdp_adjust_tail(), which may move or remove tail fragments. The mlx5 driver still needs to account for all original XDP buffer fragments on the driver side. According to the record, skipping that accounting can leave page_pool fragment references inconsistent, producing a negative reference-count condition when the page is later released. The NVD entry lists affected upstream ranges including 6.6.115-<6.7, 6.12.56-<6.13, 6.17.6-<6.18, 6.18.1-<6.18.19, and 6.19-<6.19.9, plus specific 6.18/rc builds through 7.0-rc3.

Defensive priority

Critical

Recommended defensive actions

  • Apply the official Linux kernel fixes referenced in the NVD record and ensure your vendor kernel has the corresponding backport.
  • Prioritize systems using the mlx5 driver with XDP multi-buffer features or striding RQ.
  • Verify whether your running kernels fall within the affected version ranges listed by NVD, then confirm downstream vendor backports rather than relying on version number alone.
  • If you maintain kernels internally, run the relevant XDP selftests after patching, including the drivers/net/xdp.py coverage mentioned in the record.
  • Watch for page_pool helper warnings or mlx5e_page_release_fragmented splats during validation and regression testing.

Evidence notes

The CVE description states that XDP multi-buf programs can alter buffer layout via bpf_xdp_pull_data() or bpf_xdp_adjust_tail(), and that mlx5 failed to count dropped fragments for all relevant XDP actions. The supplied record includes a selftest-triggered warning splat involving page_pool reference counting. Timeline context: the CVE was published on 2026-05-08 and modified on 2026-05-20; NVD marks the vuln status as Analyzed.

Official resources

Publicly disclosed in the supplied record on 2026-05-08; NVD modified the entry on 2026-05-20. The issue was identified through Linux kernel selftesting and addressed by official kernel patches referenced in NVD.