ACK: [SRU][R/Q/N][PATCH 0/3] CVE-2026-43500

Edoardo Canepa edoardo.canepa at canonical.com
Tue May 19 11:14:50 UTC 2026 

Acked-by: Edoardo Canepa <edoardo.canepa at canonical.com>

On 5/16/26 14:28, Massimiliano Pellizzer wrote:
> https://ubuntu.com/security/CVE-2026-43500
>
> [ Impact ]
>
> rxkad_verify_packet_1() performs in-place pcbc(fcrypt) decryption
> using the same scatter-gather list as both source and destination.
> When an attacker uses splice() to pin a page cache page
> into the socket buffer fragment, the decryption output gets written
> directly into that page cache page.
>
> The 8 bytes written are the output of fcrypt_decrypt(C, K),
> where both the ciphertext and key come from an unprivileged add_key("rxrpc", ...) call.
> Since fcrypt is a deterministic 56-bit cipher portable to userspace,
> the attacker can brute-force K until the decryption produces any desired 8-byte value,
> allowing an unprivileged local user to write arbitrary data into the page cache.
>
> [ Fix ]
>
> For Resolute, backport the following commits from linux-7.0.y:
> - d9b93a0f57ca rxrpc: Fix conn-level packet handling to unshare RESPONSE packets
> - 8fde6296c4d4 rxrpc: Fix potential UAF after skb_unshare() failure
> - 3c64335007f1 rxrpc: Fix rxrpc_input_call_event() to only unshare DATA packets
> - d45179f87952 rxrpc: Also unshare DATA/RESPONSE packets when paged frags are present
>
> For Questing, backport the following commits from linux-6.18.y:
> - d0035e634dae rxrpc: only handle RESPONSE during service challenge
> - ca71ac2de389 rxrpc: Fix conn-level packet handling to unshare RESPONSE packets
> - 996b0487b3cd rxrpc: Fix potential UAF after skb_unshare() failure
> - 761c37b761ed rxrpc: Fix rxrpc_input_call_event() to only unshare DATA packets
> - 3eae0f4f9f72 rxrpc: Also unshare DATA/RESPONSE packets when paged frags are present
>
> For Noble, backport the following commits from linux-6.12.y:
> - 29b44d904dce rxrpc: only handle RESPONSE during service challenge
> - 98a2046d155f rxrpc: Fix conn-level packet handling to unshare RESPONSE packets
> - 3e0b83ee535d rxrpc: Parse received packets before dealing with timeouts
> - bf20f46d94f1 rxrpc: Fix potential UAF after skb_unshare() failure
> - 016725807ce3 rxrpc: Fix rxrpc_input_call_event() to only unshare DATA packets
> - 3711382a7734 rxrpc: Also unshare DATA/RESPONSE packets when paged frags are present
>
> Jammy and older are WIP.
>
> Notice that the commit ("rxrpc: only handle RESPONSE during service challenge")
> fixes also CVE-2026-31676.
>
> [ Test Plan ]
>
> Compiled and boot tested.
> Tested using the publicly available exploit.
>
> [ Where Problems Could Occur ]
>
> If a regression is introduced, RxRPC-based services such as AFS clients
> could experience dropped or mishandled packets, leading to connection failures
> or data corruption.
>
> [ Other Info ]
>
> https://github.com/V4bel/dirtyfrag
>
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_0x20F88172E14F6784.asc
Type: application/pgp-keys
Size: 3167 bytes
Desc: OpenPGP public key
URL: <https://lists.ubuntu.com/archives/kernel-team/attachments/20260519/8c7d6b95/attachment-0001.key>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature.asc
Type: application/pgp-signature
Size: 840 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/kernel-team/attachments/20260519/8c7d6b95/attachment-0001.sig>

More information about the kernel-team mailing list