Copyright © 2012 Red Hat, Inc. All rights reserved. Important 2026-05-11T00:00:00 kernel: "Dirty Frag" RxRPC variant is a new universal Local Privilege Escalation (LPE) vulnerability in the Linux kernel 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CWE-123

In the Linux kernel, the following vulnerability has been resolved: rxrpc: Also unshare DATA/RESPONSE packets when paged frags are present The DATA-packet handler in rxrpc_input_call_event() and the RESPONSE handler in rxrpc_verify_response() copy the skb to a linear one before calling into the security ops only when skb_cloned() is true. An skb that is not cloned but still carries externally-owned paged fragments (e.g. SKBFL_SHARED_FRAG set by splice() into a UDP socket via __ip_append_data, or a chained skb_has_frag_list()) falls through to the in-place decryption path, which binds the frag pages directly into the AEAD/skcipher SGL via skb_to_sgvec(). Extend the gate to also unshare when skb_has_frag_list() or skb_has_shared_frag() is true. This catches the splice-loopback vector and other externally-shared frag sources while preserving the zero-copy fast path for skbs whose frags are kernel-private (e.g. NIC page_pool RX, GRO). The OOM/trace handling already in place is reused.

A flaw was found in the Linux kernel's RxRPC networking subsystem. When a socket buffer carrying a page-cache reference reaches the RxRPC authentication verification path, the kernel performs an in-place decryption directly on the referenced page without first isolating the buffer. A low-privileged local attacker can exploit this behavior to corrupt the page-cache contents of readable files, including sensitive system files such as /etc/passwd, and obtain root privileges. Exploitation does not require unprivileged user or network namespaces, but depends on the RxRPC protocol stack being available on the target system.

This issue is classified as Important, rather than Critical severity, because exploitation requires local access to the system. A low-privileged local attacker can exploit this flaw in the Linux kernel's RxRPC subsystem to gain root privileges by overwriting sensitive system files. Exploitation does not require user interaction, potentially resulting in full compromise of confidentiality, integrity, and availability. While the kernel source RPM for Red Hat Enterprise Linux 9 and 10 includes the `rxrpc` module in its build configuration, the binary RPMs that provide this module are not shipped or supported by Red Hat. The module is not installed by default and is not included in any other kernel binary package. For OpenShift Container Platform 4, the RPMs are not included in Red Hat Enterprise Linux CoreOS (RHCOS) images and is not installable through any supported cluster workflow. See the security bulletin for a detailed mitigation procedure. Red Hat Enterprise Linux 10 Not affected kernel Red Hat Enterprise Linux 10 Not affected libkrun Red Hat Enterprise Linux 6 Not affected kernel Red Hat Enterprise Linux 7 Not affected kernel Red Hat Enterprise Linux 7 Not affected kernel-rt Red Hat Enterprise Linux 8 Not affected kernel Red Hat Enterprise Linux 8 Not affected kernel-rt Red Hat Enterprise Linux 9 Not affected kernel Red Hat Enterprise Linux 9 Not affected kernel-rt Red Hat OpenShift Container Platform 4 Not affected rhcos https://www.cve.org/CVERecord?id=CVE-2026-43500 https://nvd.nist.gov/vuln/detail/CVE-2026-43500 https://lore.kernel.org/linux-cve-announce/2026051149-CVE-2026-43500-60d6@gregkh/T True