CVE-2026-43039

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> net: ti: icssg-prueth: fix missing data copy and wrong recycle in ZC RX dispatch<br /> <br /> emac_dispatch_skb_zc() allocates a new skb via napi_alloc_skb() but<br /> never copies the packet data from the XDP buffer into it. The skb is<br /> passed up the stack containing uninitialized heap memory instead of<br /> the actual received packet, leaking kernel heap contents to userspace.<br /> <br /> Copy the received packet data from the XDP buffer into the skb using<br /> skb_copy_to_linear_data().<br /> <br /> Additionally, remove the skb_mark_for_recycle() call since the skb is<br /> backed by the NAPI page frag allocator, not page_pool. Marking a<br /> non-page_pool skb for recycle causes the free path to return pages to<br /> a page_pool that does not own them, corrupting page_pool state.<br /> <br /> The non-ZC path (emac_rx_packet) does not have these issues because it<br /> uses napi_build_skb() to wrap the existing page_pool page directly,<br /> requiring no copy, and correctly marks for recycle since the page comes<br /> from page_pool_dev_alloc_pages().