[SRU][R/Q/N][PATCH 0/3] CVE-2026-43500

Massimiliano Pellizzer massimiliano.pellizzer at canonical.com
Sat May 16 12:28:37 UTC 2026 

https://ubuntu.com/security/CVE-2026-43500

[ Impact ]

rxkad_verify_packet_1() performs in-place pcbc(fcrypt) decryption 
using the same scatter-gather list as both source and destination.
When an attacker uses splice() to pin a page cache page
into the socket buffer fragment, the decryption output gets written
directly into that page cache page.

The 8 bytes written are the output of fcrypt_decrypt(C, K),
where both the ciphertext and key come from an unprivileged add_key("rxrpc", ...) call.
Since fcrypt is a deterministic 56-bit cipher portable to userspace,
the attacker can brute-force K until the decryption produces any desired 8-byte value,
allowing an unprivileged local user to write arbitrary data into the page cache.

[ Fix ]

For Resolute, backport the following commits from linux-7.0.y:
- d9b93a0f57ca rxrpc: Fix conn-level packet handling to unshare RESPONSE packets
- 8fde6296c4d4 rxrpc: Fix potential UAF after skb_unshare() failure
- 3c64335007f1 rxrpc: Fix rxrpc_input_call_event() to only unshare DATA packets
- d45179f87952 rxrpc: Also unshare DATA/RESPONSE packets when paged frags are present

For Questing, backport the following commits from linux-6.18.y:
- d0035e634dae rxrpc: only handle RESPONSE during service challenge
- ca71ac2de389 rxrpc: Fix conn-level packet handling to unshare RESPONSE packets
- 996b0487b3cd rxrpc: Fix potential UAF after skb_unshare() failure
- 761c37b761ed rxrpc: Fix rxrpc_input_call_event() to only unshare DATA packets
- 3eae0f4f9f72 rxrpc: Also unshare DATA/RESPONSE packets when paged frags are present

For Noble, backport the following commits from linux-6.12.y:
- 29b44d904dce rxrpc: only handle RESPONSE during service challenge
- 98a2046d155f rxrpc: Fix conn-level packet handling to unshare RESPONSE packets
- 3e0b83ee535d rxrpc: Parse received packets before dealing with timeouts
- bf20f46d94f1 rxrpc: Fix potential UAF after skb_unshare() failure
- 016725807ce3 rxrpc: Fix rxrpc_input_call_event() to only unshare DATA packets
- 3711382a7734 rxrpc: Also unshare DATA/RESPONSE packets when paged frags are present

Jammy and older are WIP.

Notice that the commit ("rxrpc: only handle RESPONSE during service challenge")
fixes also CVE-2026-31676.

[ Test Plan ]

Compiled and boot tested.
Tested using the publicly available exploit.

[ Where Problems Could Occur ]

If a regression is introduced, RxRPC-based services such as AFS clients
could experience dropped or mishandled packets, leading to connection failures
or data corruption.

[ Other Info ]

https://github.com/V4bel/dirtyfrag

More information about the kernel-team mailing list