CVE-2026-43284

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> xfrm: esp: avoid in-place decrypt on shared skb frags<br /> <br /> MSG_SPLICE_PAGES can attach pages from a pipe directly to an skb. TCP<br /> marks such skbs with SKBFL_SHARED_FRAG after skb_splice_from_iter(),<br /> so later paths that may modify packet data can first make a private<br /> copy. The IPv4/IPv6 datagram append paths did not set this flag when<br /> splicing pages into UDP skbs.<br /> <br /> That leaves an ESP-in-UDP packet made from shared pipe pages looking<br /> like an ordinary uncloned nonlinear skb. ESP input then takes the no-COW<br /> fast path for uncloned skbs without a frag_list and decrypts in place<br /> over data that is not owned privately by the skb.<br /> <br /> Mark IPv4/IPv6 datagram splice frags with SKBFL_SHARED_FRAG, matching<br /> TCP. Also make ESP input fall back to skb_cow_data() when the flag is<br /> present, so ESP does not decrypt externally backed frags in place.<br /> Private nonlinear skb frags still use the existing fast path.<br /> <br /> This intentionally does not change ESP output. In esp_output_head(),<br /> the path that appends the ESP trailer to existing skb tailroom without<br /> calling skb_cow_data() is not reachable for nonlinear skbs:<br /> skb_tailroom() returns zero when skb-&gt;data_len is nonzero, while ESP<br /> tailen is positive. Thus ESP output will either use the separate<br /> destination-frag path or fall back to skb_cow_data().