CVE-2026-43284 [High] | Security Vulnerability in Linux Kernel

In the Linux kernel, the following vulnerability has been resolved: xfrm: esp: avoid in-place decrypt on shared skb frags MSG_SPLICE_PAGES can attach pages from a pipe directly to an skb. TCP marks such skbs with SKBFL_SHARED_FRAG after skb_splice_from_iter(), so later paths that may modify packet data can first make a private copy. The IPv4/IPv6 datagram append paths did not set this flag when splicing pages into UDP skbs. That leaves an ESP-in-UDP packet made from shared pipe pages looking like an ordinary uncloned nonlinear skb. ESP input then takes the no-COW fast path for uncloned skbs without a frag_list and decrypts in place over data that is not owned privately by the skb. Mark IPv4/IPv6 datagram splice frags with SKBFL_SHARED_FRAG, matching TCP. Also make ESP input fall back to skb_cow_data() when the flag is present, so ESP does not decrypt externally backed frags in place. Private nonlinear skb frags still use the existing fast path. This intentionally does not change ESP output. In esp_output_head(), the path that appends the ESP trailer to existing skb tailroom without calling skb_cow_data() is not reachable for nonlinear skbs: skb_tailroom() returns zero when skb->data_len is nonzero, while ESP tailen is positive. Thus ESP output will either use the separate destination-frag path or fall back to skb_cow_data().

EDB-ID	Source	Kind	Published	Link
52591	exploit_db	edb	2026-05-29	Exploit-DB ↗
52585	exploit_db	edb	2026-05-27	Exploit-DB ↗
—	nvd_ref	exploit_tag		Exploit-DB ↗

EDB-ID

Source

Kind

Published

Link

52591

exploit_db

edb

2026-05-29

Exploit-DB ↗

52585

exploit_db

edb

2026-05-27

Exploit-DB ↗

—

nvd_ref

exploit_tag

Exploit-DB ↗

#	Date	Old EPSS score	New EPSS score	Delta (New - Old)
1	2026-06-15	17.46%	92.16%	+74.71%
2	2026-06-14	26.34%	17.46%	-8.88%
3	2026-06-09	—	26.34%	—

Date

Old EPSS score

New EPSS score

Delta (New - Old)

2026-06-15

17.46%

92.16%

+74.71%

2026-06-14

26.34%

17.46%

-8.88%

2026-06-09

—

26.34%

—

Base score	Version	Severity	Vector	Exploitability	Impact	Score source
8.8	3.1	HIGH	`CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H` Click to expand Attack vector (AV:L) They already need access on the box, or another person has to do something wrong; it’s not a remote drive-by. Attack complexity (AC:L) Once they can reach the bug, pulling it off is straightforward—no weird race conditions or rare setup. Privileges required (PR:L) A normal user session is enough; they don’t have to be admin. User interaction (UI:N) Nobody has to click “OK” or open a trap file; it can work without a victim helping. Scope (S:C) Breaking this can reach past the original component and bite other resources—bigger blast radius. Confidentiality (C:H) Serious risk that confidential data gets exposed in a big way. Integrity (I:H) They could widely tamper with or forge data—trust in the data is badly hurt. Availability (A:H) Could take the service down hard or make it unusable for people who depend on it.	2.0	6.0	416baaa9-dc9f-4396-8d5f-8c081fb06d67
7.8	3.1	HIGH	`CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H` Click to expand Attack vector (AV:L) They already need access on the box, or another person has to do something wrong; it’s not a remote drive-by. Attack complexity (AC:H) Even with access, the exploit needs extra luck, timing, or a fussy environment to actually work. Privileges required (PR:L) A normal user session is enough; they don’t have to be admin. User interaction (UI:N) Nobody has to click “OK” or open a trap file; it can work without a victim helping. Scope (S:C) Breaking this can reach past the original component and bite other resources—bigger blast radius. Confidentiality (C:H) Serious risk that confidential data gets exposed in a big way. Integrity (I:H) They could widely tamper with or forge data—trust in the data is badly hurt. Availability (A:H) Could take the service down hard or make it unusable for people who depend on it.	1.1	6.0	134c704f-9b21-4f2e-91b3-4a467353bcc0

Base score

Version

Severity

Vector

Exploitability

Impact

Score source

8.8

3.1

HIGH

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H Click to expand

Attack vector (AV:L): They already need access on the box, or another person has to do something wrong; it’s not a remote drive-by.
Attack complexity (AC:L): Once they can reach the bug, pulling it off is straightforward—no weird race conditions or rare setup.
Privileges required (PR:L): A normal user session is enough; they don’t have to be admin.
User interaction (UI:N): Nobody has to click “OK” or open a trap file; it can work without a victim helping.
Scope (S:C): Breaking this can reach past the original component and bite other resources—bigger blast radius.
Confidentiality (C:H): Serious risk that confidential data gets exposed in a big way.
Integrity (I:H): They could widely tamper with or forge data—trust in the data is badly hurt.
Availability (A:H): Could take the service down hard or make it unusable for people who depend on it.

2.0

6.0

416baaa9-dc9f-4396-8d5f-8c081fb06d67

7.8

3.1

HIGH

CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H Click to expand

Attack vector (AV:L): They already need access on the box, or another person has to do something wrong; it’s not a remote drive-by.
Attack complexity (AC:H): Even with access, the exploit needs extra luck, timing, or a fussy environment to actually work.
Privileges required (PR:L): A normal user session is enough; they don’t have to be admin.
User interaction (UI:N): Nobody has to click “OK” or open a trap file; it can work without a victim helping.
Scope (S:C): Breaking this can reach past the original component and bite other resources—bigger blast radius.
Confidentiality (C:H): Serious risk that confidential data gets exposed in a big way.
Integrity (I:H): They could widely tamper with or forge data—trust in the data is badly hurt.
Availability (A:H): Could take the service down hard or make it unusable for people who depend on it.

1.1

6.0

134c704f-9b21-4f2e-91b3-4a467353bcc0

OS Trackers for CVE-2026-43284

vendor	priority	summary	link
`debian`	not yet assigned	CVE-2026-43284 not yet assigned priority: Debian including 2 source packages (linux, linux-6.1), 6 status rows across 5 suites (bookworm, bullseye, forky, sid, trixie): resolved 6.	https://security-tracker.debian.org/tracker/CVE-2026-43284
`redhat`	high	—	https://access.redhat.com/security/cve/CVE-2026-43284
`suse`	high	CVE-2026-43284 severity important: SUSE including 172 source package names (bpftool-4.18.0-553.123.1.el8_10.1, cluster-md-kmp-default-4.12.14-122.305.1, …), 319 product×package rows across 32 product lines (SUSE Liberty Linux 8, SUSE Liberty Linux 9, … (32 product lines)): First Fixed 231, Fixed 82, Known Not Affected 6.	https://www.suse.com/security/cve/CVE-2026-43284/
`ubuntu`	high	CVE-2026-43284 high priority: Ubuntu including 158 source packages (linux, linux-allwinner-5.19, …), 1422 status rows across 9 suites (bionic, focal, jammy, noble, questing, resolute, trusty, upstream, xenial): DNE 1024, released 185, ignored 169, pending 25, needed 11, not-affected 8.	https://ubuntu.com/security/CVE-2026-43284

Affected software / configurations for CVE-2026-43284

Vendor	Product	Version	Raw CPE
linux	linux_kernel	>= 4.11, < 5.10.255	cpe:2.3:o:linux:linux_kernel::::::::
linux	linux_kernel	>= 5.12, < 5.15.205	cpe:2.3:o:linux:linux_kernel::::::::
linux	linux_kernel	>= 5.16, < 6.1.171	cpe:2.3:o:linux:linux_kernel::::::::
linux	linux_kernel	>= 6.2, < 6.6.138	cpe:2.3:o:linux:linux_kernel::::::::
linux	linux_kernel	>= 6.7, < 6.12.87	cpe:2.3:o:linux:linux_kernel::::::::
linux	linux_kernel	>= 6.13, < 6.18.28	cpe:2.3:o:linux:linux_kernel::::::::
linux	linux_kernel	>= 7.0, < 7.0.5	cpe:2.3:o:linux:linux_kernel::::::::

References for CVE-2026-43284

URL	Tags
https://git.kernel.org/stable/c/50ed1e7873100f77abad20fd31c51029bc49cd03	Patch
https://git.kernel.org/stable/c/52646cbd00e765a6db9c3afe9535f26218276034	Patch
https://git.kernel.org/stable/c/5d55c7336f8032d434adcc5fab987ccc93a44aec	Patch
https://git.kernel.org/stable/c/71a1d9d985d26716f74d21f18ee8cac821b06e97	Patch
https://git.kernel.org/stable/c/8253aab4659ca16116b522203c2a6b18dccacea7
https://git.kernel.org/stable/c/a6cb440f274a22456ef3e86b457344f1678f38f9	Patch
https://git.kernel.org/stable/c/ab8b995323e5237041472d07e5055f5f7dcdf15b	Patch
https://git.kernel.org/stable/c/b54edf1e9a3fd3491bdcb82a21f8d21315271e0d	Patch
https://git.kernel.org/stable/c/f4c50a4034e62ab75f1d5cdd191dd5f9c77fdff4
https://git.kernel.org/stable/c/fe785bb3a8096dffcc4048a85cd0c83337eeecad
http://www.openwall.com/lists/oss-security/2026/05/08/7	Mailing List
http://www.openwall.com/lists/oss-security/2026/05/13/6
http://www.openwall.com/lists/oss-security/2026/05/14/2
http://www.openwall.com/lists/oss-security/2026/05/14/4
https://www.vicarius.io/vsociety/posts/cve-2026-43284-detection-script-dirty-frag-linux-kernel-local-privilege-escalation
https://www.vicarius.io/vsociety/posts/cve-2026-43284-mitigation-script-dirty-frag-linux-kernel-local-privilege-escalation
https://github.com/V4bel/dirtyfrag	Exploit Third Party Advisory

URL

CVE-2026-43284 | xfrm: esp: avoid in-place decrypt on shared skb frags

Public exploit references (Exploit-DB) for CVE-2026-43284

Exploit prediction scoring system (EPSS) score for CVE-2026-43284

Common vulnerability scoring system (CVSS) metrics for CVE-2026-43284

Weakness enumeration for CVE-2026-43284

GitHub Security Advisory for CVE-2026-43284

OS Trackers for CVE-2026-43284

Affected software / configurations for CVE-2026-43284

References for CVE-2026-43284