Bug 2467771 (CVE-2026-43284)
| Summary: | CVE-2026-43284 kernel: "Dirty Frag" ESP XFRM variant is a new universal Local Privilege Escalation (LPE) vulnerability in the Linux kernel | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | OSIDB Bzimport <bzimport> |
| Component: | vulnerability | Assignee: | Product Security DevOps Team <prodsec-dev> |
| Status: | NEW --- | QA Contact: | |
| Severity: | high | Docs Contact: | |
| Priority: | high | ||
| Version: | unspecified | CC: | astupnik, cchiang, ctowsley, dhgautam, dwojewod, eric.eisenhart, kevinxue, klaas, mcc77, mmilgram, mohamed-mahdi.dridi, oarribas, pasik, reynolds, rhel-process-autobot, rkeshri, robert.stannard, sardella, security-response-team, shalygin.k, snavale, timothy.a.meader, victor.cardoso, villapla, watson-tool-maintainers, yannick.bergeron |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | --- | |
| Doc Text: |
A flaw was found in the Linux kernel's xfrm-ESP and RxRPC subsystems. Unsafe in-place cryptographic processing of shared socket buffer fragments allows a low-privileged local attacker to corrupt page-cache contents of readable files, including sensitive system files, and gain root privileges. The xfrm-ESP variant requires unprivileged user or network namespace creation, while the RxRPC variant depends on the rxrpc module being available on the target system.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | Type: | --- | |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 2467807 | ||
| Bug Blocks: | |||
| Deadline: | 2026-05-12 | ||
|
Description
OSIDB Bzimport
2026-05-07 16:02:22 UTC
What is the recommended workaround until a patch is available? RHEL does not load these modules with modprobe The following command followed by a reboot seems to work: grubby --update-kernel=ALL --args=module_blacklist=esp4,esp6,rxrpc However, I don't know if it's the recommended solution or if there is one that is better / more safe. https://access.redhat.com/security/cve/cve-2026-43284 Also, it does not list RHEL7 as affected or unaffected or under investigation still no https://access.redhat.com/security/cve/cve-2026-43500 which seems to be another CVE related to dirty frag (In reply to Yannick Bergeron from comment #5) > What is the recommended workaround until a patch is available? RHEL does not > load these modules with modprobe > > The following command followed by a reboot seems to work: grubby > --update-kernel=ALL --args=module_blacklist=esp4,esp6,rxrpc > However, I don't know if it's the recommended solution or if there is one > that is better / more safe. > > https://access.redhat.com/security/cve/cve-2026-43284 > Also, it does not list RHEL7 as affected or unaffected or under investigation > > still no https://access.redhat.com/security/cve/cve-2026-43500 which seems > to be another CVE related to dirty frag Hi Yannick, The Red Hat Security Bulletin(https://access.redhat.com/security/vulnerabilities/RHSB-2026-003) for this CVE has mitigation steps detailed that should assist while we work on a patch. The CVE page does seem to show both RHEL 6 and 7 as Under Investigation when i look at it, so please check again. If it's still not displaying properly you can reach out to me directly via email and I'll reach out to the team responsible to see if there might be an issue with the back end not displaying correctly. This issue has been addressed in the following products: Red Hat Enterprise Linux 8.8 Update Services for SAP Solutions Red Hat Enterprise Linux 8.8 Telecommunications Update Service Via RHSA-2026:16061 https://access.redhat.com/errata/RHSA-2026:16061 This issue has been addressed in the following products: Red Hat Enterprise Linux 10 Via RHSA-2026:16062 https://access.redhat.com/errata/RHSA-2026:16062 This issue has been addressed in the following products: Red Hat Enterprise Linux 9.4 Extended Update Support Via RHSA-2026:16100 https://access.redhat.com/errata/RHSA-2026:16100 This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2026:16196 https://access.redhat.com/errata/RHSA-2026:16196 This issue has been addressed in the following products: Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions Via RHSA-2026:16203 https://access.redhat.com/errata/RHSA-2026:16203 This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2026:16195 https://access.redhat.com/errata/RHSA-2026:16195 This issue has been addressed in the following products: Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support Red Hat Enterprise Linux 8.4 Extended Update Support Long-Life Add-On Via RHSA-2026:16201 https://access.redhat.com/errata/RHSA-2026:16201 This issue has been addressed in the following products: Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions Via RHSA-2026:16202 https://access.redhat.com/errata/RHSA-2026:16202 This issue has been addressed in the following products: Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions Red Hat Enterprise Linux 8.6 Telecommunications Update Service Via RHSA-2026:16204 https://access.redhat.com/errata/RHSA-2026:16204 Are we still waiting for a kernel fix for the general Red Hat Enterprise Linux 9 channel? I don't see listed above. This issue has been addressed in the following products: Red Hat Enterprise Linux 9 Via RHSA-2026:16206 https://access.redhat.com/errata/RHSA-2026:16206 This issue has been addressed in the following products: Red Hat Enterprise Linux 9.2 Update Services for SAP Solutions Via RHSA-2026:16254 https://access.redhat.com/errata/RHSA-2026:16254 This issue has been addressed in the following products: Red Hat Enterprise Linux 9.2 Update Services for SAP Solutions Via RHSA-2026:16328 https://access.redhat.com/errata/RHSA-2026:16328 This issue has been addressed in the following products: Red Hat Enterprise Linux 10.0 Extended Update Support Via RHSA-2026:16314 https://access.redhat.com/errata/RHSA-2026:16314 This issue has been addressed in the following products: Red Hat Enterprise Linux 9.6 Extended Update Support Via RHSA-2026:16312 https://access.redhat.com/errata/RHSA-2026:16312 This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.18 Via RHSA-2026:16160 https://access.redhat.com/errata/RHSA-2026:16160 This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.19 Via RHSA-2026:16161 https://access.redhat.com/errata/RHSA-2026:16161 This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.21 Via RHSA-2026:16155 https://access.redhat.com/errata/RHSA-2026:16155 This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.16 Via RHSA-2026:16171 https://access.redhat.com/errata/RHSA-2026:16171 This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.20 Via RHSA-2026:16157 https://access.redhat.com/errata/RHSA-2026:16157 (In reply to Cole Towsley from comment #6) > (In reply to Yannick Bergeron from comment #5) > > What is the recommended workaround until a patch is available? RHEL does not > > load these modules with modprobe > > > > The following command followed by a reboot seems to work: grubby > > --update-kernel=ALL --args=module_blacklist=esp4,esp6,rxrpc > > However, I don't know if it's the recommended solution or if there is one > > that is better / more safe. > > > > https://access.redhat.com/security/cve/cve-2026-43284 > > Also, it does not list RHEL7 as affected or unaffected or under investigation > > > > still no https://access.redhat.com/security/cve/cve-2026-43500 which seems > > to be another CVE related to dirty frag > > Hi Yannick, > > The Red Hat Security > Bulletin(https://access.redhat.com/security/vulnerabilities/RHSB-2026-003) > for this CVE has mitigation steps detailed that should assist while we work > on a patch. The CVE page does seem to show both RHEL 6 and 7 as Under > Investigation when i look at it, so please check again. If it's still not > displaying properly you can reach out to me directly via email and I'll > reach out to the team responsible to see if there might be an issue with the > back end not displaying correctly. Our cyber team use qualys to detect that RHEL7 is "vulnerable" despite RH public statement otherwise. Is it safe to add workarounds to stop qualys noise? rmmod esp4 esp6 echo "install esp4 /bin/false" >> /etc/modprobe.d/disable-esp.conf echo "install esp6 /bin/false" >> /etc/modprobe.d/disable-esp.conf This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.12 Via RHSA-2026:16180 https://access.redhat.com/errata/RHSA-2026:16180 This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.14 Via RHSA-2026:16176 https://access.redhat.com/errata/RHSA-2026:16176 This issue has been addressed in the following products: NVIDIA for RHEL 10 Via RHSA-2026:17795 https://access.redhat.com/errata/RHSA-2026:17795 This issue has been addressed in the following products: Red Hat Enterprise Linux 9.6 Extended Update Support Via RHSA-2026:18025 https://access.redhat.com/errata/RHSA-2026:18025 This issue has been addressed in the following products: Red Hat Enterprise Linux 10 Via RHSA-2026:19074 https://access.redhat.com/errata/RHSA-2026:19074 This issue has been addressed in the following products: Red Hat Enterprise Linux 9 Via RHSA-2026:19225 https://access.redhat.com/errata/RHSA-2026:19225 This issue has been addressed in the following products: Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions Via RHSA-2026:19564 https://access.redhat.com/errata/RHSA-2026:19564 This issue has been addressed in the following products: Red Hat Enterprise Linux 8.8 Update Services for SAP Solutions Via RHSA-2026:19572 https://access.redhat.com/errata/RHSA-2026:19572 This issue has been addressed in the following products: Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions Via RHSA-2026:19575 https://access.redhat.com/errata/RHSA-2026:19575 This issue has been addressed in the following products: Red Hat Enterprise Linux 9.4 Extended Update Support Via RHSA-2026:19577 https://access.redhat.com/errata/RHSA-2026:19577 This issue has been addressed in the following products: Red Hat Enterprise Linux 9.2 Update Services for SAP Solutions Via RHSA-2026:19573 https://access.redhat.com/errata/RHSA-2026:19573 This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2026:19574 https://access.redhat.com/errata/RHSA-2026:19574 This issue has been addressed in the following products: Red Hat Enterprise Linux 10 Via RHSA-2026:19569 https://access.redhat.com/errata/RHSA-2026:19569 This issue has been addressed in the following products: Red Hat Enterprise Linux 9 Via RHSA-2026:19568 https://access.redhat.com/errata/RHSA-2026:19568 This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.12 Via RHSA-2026:21695 https://access.redhat.com/errata/RHSA-2026:21695 This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.15 Via RHSA-2026:23233 https://access.redhat.com/errata/RHSA-2026:23233 This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.13 Via RHSA-2026:26542 https://access.redhat.com/errata/RHSA-2026:26542 This issue has been addressed in the following products: NVIDIA for RHEL 10 Via RHSA-2026:33486 https://access.redhat.com/errata/RHSA-2026:33486 This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.17 Via RHSA-2026:34098 https://access.redhat.com/errata/RHSA-2026:34098 |