Re: CVE-2026-43284: xfrm: esp: avoid in-place decrypt on shared skb frags

Next message: Tzung-Bi Shih: "[PATCH v10 7/9] gpio: Remove unused `chip` and `srcu` in struct gpio_device"
Previous message: tip-bot2 for Ben Horgan: "[tip: x86/cache] x86,fs/resctrl: Create 'event_filter' files read only if they're not configurable"
In reply to: Greg Kroah-Hartman: "Re: CVE-2026-43284: xfrm: esp: avoid in-place decrypt on shared skb frags"
Next in thread: Tomasz Figa: "Re: CVE-2026-43284: xfrm: esp: avoid in-place decrypt on shared skb frags"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Greg Kroah-Hartman

Date: Fri May 08 2026 - 06:57:19 EST

On Fri, May 08, 2026 at 12:09:58PM +0200, Greg Kroah-Hartman wrote:
> On Fri, May 08, 2026 at 10:57:05AM +0200, Massimiliano Pellizzer wrote:
> > On Fri, May 8, 2026 at 9:24 AM Greg Kroah-Hartman
> > I tested the publicly available exploit against the stable kernel 5.15.204.
> > That stable branch is affected too.
> >
> > ```
> > $ ./run.sh
> > === Stage 1 — overwrite 'systemd-timesync' line (89 bytes) with
> > 'sick::0:0:<pad>:/:/bin/bash'
> > === Stage 2 — verify
> > sick::0:0:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX:/:/bin/bash
> > === Stage 3 — su - sick (empty password via PAM nullok)
> > [i] state saved to /var/tmp/.cf2.state — run './run.sh --clean' to revert
> > # whoami
> > root
> > # uname -r
> > 5.15.204
> > ```
> >
>
> Yes, patches for that are being worked on right now, give me a chance to
> get some lunch :)

Updates are now out for the other supported stable versions, and the CVE
entry is updated on cve.org.

thanks,

greg k-h