CVE-2026-43078 [High] | Out-of-bounds Write in Linux Kernel

In the Linux kernel, the following vulnerability has been resolved: crypto: af_alg - Fix page reassignment overflow in af_alg_pull_tsgl When page reassignment was added to af_alg_pull_tsgl the original loop wasn't updated so it may try to reassign one more page than necessary. Add the check to the reassignment so that this does not happen. Also update the comment which still refers to the obsolete offset argument.

#	Date	Old EPSS score	New EPSS score	Delta (New - Old)
1	2026-05-06	—	0.02%	—

Date

Old EPSS score

New EPSS score

Delta (New - Old)

2026-05-06

—

0.02%

—

Base score	Version	Severity	Vector	Exploitability	Impact	Score source
7.8	3.1	HIGH	`CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H` Click to expand Attack vector (AV:L) They already need access on the box, or another person has to do something wrong; it’s not a remote drive-by. Attack complexity (AC:L) Once they can reach the bug, pulling it off is straightforward—no weird race conditions or rare setup. Privileges required (PR:L) A normal user session is enough; they don’t have to be admin. User interaction (UI:N) Nobody has to click “OK” or open a trap file; it can work without a victim helping. Scope (S:U) Damage stays in the same “trust bubble” as the broken component—no big spill into unrelated systems. Confidentiality (C:H) Serious risk that confidential data gets exposed in a big way. Integrity (I:H) They could widely tamper with or forge data—trust in the data is badly hurt. Availability (A:H) Could take the service down hard or make it unusable for people who depend on it.	1.8	5.9	416baaa9-dc9f-4396-8d5f-8c081fb06d67

Base score

Version

Severity

Vector

Exploitability

Impact

Score source

7.8

3.1

HIGH

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H Click to expand

Attack vector (AV:L): They already need access on the box, or another person has to do something wrong; it’s not a remote drive-by.
Attack complexity (AC:L): Once they can reach the bug, pulling it off is straightforward—no weird race conditions or rare setup.
Privileges required (PR:L): A normal user session is enough; they don’t have to be admin.
User interaction (UI:N): Nobody has to click “OK” or open a trap file; it can work without a victim helping.
Scope (S:U): Damage stays in the same “trust bubble” as the broken component—no big spill into unrelated systems.
Confidentiality (C:H): Serious risk that confidential data gets exposed in a big way.
Integrity (I:H): They could widely tamper with or forge data—trust in the data is badly hurt.
Availability (A:H): Could take the service down hard or make it unusable for people who depend on it.

1.8

5.9

416baaa9-dc9f-4396-8d5f-8c081fb06d67

OS Trackers for CVE-2026-43078

vendor	priority	summary	link
`debian`	not yet assigned	CVE-2026-43078 not yet assigned priority: Debian including 1 source packages (linux), 5 status rows across 5 suites (bookworm, bullseye, forky, sid, trixie): resolved 5.	https://security-tracker.debian.org/tracker/CVE-2026-43078
`redhat`	high	—	https://access.redhat.com/security/cve/CVE-2026-43078
`suse`	medium	CVE-2026-43078 severity moderate: SUSE including 4 source package names (kernel-default, kernel-default-base, kernel-default-devel, kernel-source), 6 product×package rows across 2 product lines (SUSE Linux Enterprise Server 11 SP4 LTSS EXTREME CORE, SUSE Linux Enterprise Server Teradata 12 SP3): Known Not Affected 6.	https://www.suse.com/security/cve/CVE-2026-43078/
`ubuntu`	medium	CVE-2026-43078 medium priority: Ubuntu including 161 source packages (linux, linux-allwinner-5.19, …), 1449 status rows across 9 suites (bionic, focal, jammy, noble, questing, resolute, trusty, upstream, xenial): DNE 1047, ignored 170, released 163, pending 35, not-affected 18, needs-triage 10, needed 6.	https://ubuntu.com/security/CVE-2026-43078

Affected software / configurations for CVE-2026-43078

Vendor	Product	Version	Raw CPE
linux	linux_kernel	>= 4.14.1, < 5.10.254	cpe:2.3:o:linux:linux_kernel::::::::
linux	linux_kernel	>= 5.11, < 5.15.204	cpe:2.3:o:linux:linux_kernel::::::::
linux	linux_kernel	>= 5.16, < 6.1.170	cpe:2.3:o:linux:linux_kernel::::::::
linux	linux_kernel	>= 6.2, < 6.6.137	cpe:2.3:o:linux:linux_kernel::::::::
linux	linux_kernel	>= 6.7, < 6.12.85	cpe:2.3:o:linux:linux_kernel::::::::
linux	linux_kernel	>= 6.13, < 6.18.24	cpe:2.3:o:linux:linux_kernel::::::::
linux	linux_kernel	>= 6.19, < 6.19.14	cpe:2.3:o:linux:linux_kernel::::::::
linux	linux_kernel	4.14	cpe:2.3:o:linux:linux_kernel:4.14:-::::::
linux	linux_kernel	7.0	cpe:2.3:o:linux:linux_kernel:7.0:rc1::::::
linux	linux_kernel	7.0	cpe:2.3:o:linux:linux_kernel:7.0:rc2::::::
linux	linux_kernel	7.0	cpe:2.3:o:linux:linux_kernel:7.0:rc3::::::
linux	linux_kernel	7.0	cpe:2.3:o:linux:linux_kernel:7.0:rc4::::::
linux	linux_kernel	7.0	cpe:2.3:o:linux:linux_kernel:7.0:rc5::::::
linux	linux_kernel	7.0	cpe:2.3:o:linux:linux_kernel:7.0:rc6::::::
linux	linux_kernel	7.0	cpe:2.3:o:linux:linux_kernel:7.0:rc7::::::

References for CVE-2026-43078

URL	Tags
https://git.kernel.org/stable/c/2b781d1d4f933990318bcc5c68fb75a717379e42	Patch
https://git.kernel.org/stable/c/31d00156e50ecad37f2cb6cbf04aaa9a260505ef	Patch
https://git.kernel.org/stable/c/710a4ce5d7afd9fe082c75dec282ab4a11c0fe71	Patch
https://git.kernel.org/stable/c/9532501e0f1b200ea80baa0e33e0b06da10bb271	Patch
https://git.kernel.org/stable/c/c8369a6d62f5abde9cbd4b62c45bf4b996be2468	Patch
https://git.kernel.org/stable/c/dea5fcf085f977b6c2de1b2d4ec4767b6c840d1f	Patch
https://git.kernel.org/stable/c/f7826bc0b39928a4a22f6b815dd9940b22a63503	Patch
https://git.kernel.org/stable/c/fa48d3ea9cdbfb28c1fd6756c6c5cd01351aa51e	Patch

URL

CVE-2026-43078 | crypto: af_alg - Fix page reassignment overflow in af_alg_pull_tsgl

Exploit prediction scoring system (EPSS) score for CVE-2026-43078

Common vulnerability scoring system (CVSS) metrics for CVE-2026-43078

Weakness enumeration for CVE-2026-43078

GitHub Security Advisory for CVE-2026-43078

OS Trackers for CVE-2026-43078

Affected software / configurations for CVE-2026-43078

References for CVE-2026-43078