CVE-2026-43465 (GCVE-0-2026-43465)

Vulnerability from cvelistv5 – Published: 2026-05-08 14:22 – Updated: 2026-05-08 14:22
VLAI?
Title
net/mlx5e: RX, Fix XDP multi-buf frag counting for striding RQ
Summary
In the Linux kernel, the following vulnerability has been resolved: net/mlx5e: RX, Fix XDP multi-buf frag counting for striding RQ XDP multi-buf programs can modify the layout of the XDP buffer when the program calls bpf_xdp_pull_data() or bpf_xdp_adjust_tail(). The referenced commit in the fixes tag corrected the assumption in the mlx5 driver that the XDP buffer layout doesn't change during a program execution. However, this fix introduced another issue: the dropped fragments still need to be counted on the driver side to avoid page fragment reference counting issues. The issue was discovered by the drivers/net/xdp.py selftest, more specifically the test_xdp_native_tx_mb: - The mlx5 driver allocates a page_pool page and initializes it with a frag counter of 64 (pp_ref_count=64) and the internal frag counter to 0. - The test sends one packet with no payload. - On RX (mlx5e_skb_from_cqe_mpwrq_nonlinear()), mlx5 configures the XDP buffer with the packet data starting in the first fragment which is the page mentioned above. - The XDP program runs and calls bpf_xdp_pull_data() which moves the header into the linear part of the XDP buffer. As the packet doesn't contain more data, the program drops the tail fragment since it no longer contains any payload (pp_ref_count=63). - mlx5 device skips counting this fragment. Internal frag counter remains 0. - mlx5 releases all 64 fragments of the page but page pp_ref_count is 63 => negative reference counting error. Resulting splat during the test: WARNING: CPU: 0 PID: 188225 at ./include/net/page_pool/helpers.h:297 mlx5e_page_release_fragmented.isra.0+0xbd/0xe0 [mlx5_core] Modules linked in: [...] CPU: 0 UID: 0 PID: 188225 Comm: ip Not tainted 6.18.0-rc7_for_upstream_min_debug_2025_12_08_11_44 #1 NONE Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014 RIP: 0010:mlx5e_page_release_fragmented.isra.0+0xbd/0xe0 [mlx5_core] [...] Call Trace: <TASK> mlx5e_free_rx_mpwqe+0x20a/0x250 [mlx5_core] mlx5e_dealloc_rx_mpwqe+0x37/0xb0 [mlx5_core] mlx5e_free_rx_descs+0x11a/0x170 [mlx5_core] mlx5e_close_rq+0x78/0xa0 [mlx5_core] mlx5e_close_queues+0x46/0x2a0 [mlx5_core] mlx5e_close_channel+0x24/0x90 [mlx5_core] mlx5e_close_channels+0x5d/0xf0 [mlx5_core] mlx5e_safe_switch_params+0x2ec/0x380 [mlx5_core] mlx5e_change_mtu+0x11d/0x490 [mlx5_core] mlx5e_change_nic_mtu+0x19/0x30 [mlx5_core] netif_set_mtu_ext+0xfc/0x240 do_setlink.isra.0+0x226/0x1100 rtnl_newlink+0x7a9/0xba0 rtnetlink_rcv_msg+0x220/0x3c0 netlink_rcv_skb+0x4b/0xf0 netlink_unicast+0x255/0x380 netlink_sendmsg+0x1f3/0x420 __sock_sendmsg+0x38/0x60 ____sys_sendmsg+0x1e8/0x240 ___sys_sendmsg+0x7c/0xb0 [...] __sys_sendmsg+0x5f/0xb0 do_syscall_64+0x55/0xc70 The problem applies for XDP_PASS as well which is handled in a different code path in the driver. This patch fixes the issue by doing page frag counting on all the original XDP buffer fragments for all relevant XDP actions (XDP_TX , XDP_REDIRECT and XDP_PASS). This is basically reverting to the original counting before the commit in the fixes tag. As frag_page is still pointing to the original tail, the nr_frags parameter to xdp_update_skb_frags_info() needs to be calculated in a different way to reflect the new nr_frags.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
Vendor Product Version
Linux Linux Affected: 87bcef158ac1faca1bd7e0104588e8e2956d10be , < 7d7342a18fadcdb70a63b3c930dc63528ce51832 (git)
Affected: 87bcef158ac1faca1bd7e0104588e8e2956d10be , < 043bd62f748bc9fd98154037aa598cffbd3c667c (git)
Affected: 87bcef158ac1faca1bd7e0104588e8e2956d10be , < db25c42c2e1f9c0d136420fff5e5700f7e771a6f (git)
Affected: 8b051d7f530e8a5237da242fbeafef02fec6b813 (git)
Affected: cb9edd583e23979ee546981be963ad5f217e8b18 (git)
Affected: f2557d7fa38e9475b38588f5c124476091480f53 (git)
Create a notification for this product.
    Linux Linux Affected: 6.18
Unaffected: 0 , < 6.18 (semver)
Unaffected: 6.18.19 , ≤ 6.18.* (semver)
Unaffected: 6.19.9 , ≤ 6.19.* (semver)
Unaffected: 7.0 , ≤ * (original_commit_for_fix)
Create a notification for this product.
Show details on NVD website
To clipboard 

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/ethernet/mellanox/mlx5/core/en_rx.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "7d7342a18fadcdb70a63b3c930dc63528ce51832",
              "status": "affected",
              "version": "87bcef158ac1faca1bd7e0104588e8e2956d10be",
              "versionType": "git"
            },
            {
              "lessThan": "043bd62f748bc9fd98154037aa598cffbd3c667c",
              "status": "affected",
              "version": "87bcef158ac1faca1bd7e0104588e8e2956d10be",
              "versionType": "git"
            },
            {
              "lessThan": "db25c42c2e1f9c0d136420fff5e5700f7e771a6f",
              "status": "affected",
              "version": "87bcef158ac1faca1bd7e0104588e8e2956d10be",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "8b051d7f530e8a5237da242fbeafef02fec6b813",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "cb9edd583e23979ee546981be963ad5f217e8b18",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "f2557d7fa38e9475b38588f5c124476091480f53",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/ethernet/mellanox/mlx5/core/en_rx.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.18"
            },
            {
              "lessThan": "6.18",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.18.*",
              "status": "unaffected",
              "version": "6.18.19",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.19.*",
              "status": "unaffected",
              "version": "6.19.9",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "7.0",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18.19",
                  "versionStartIncluding": "6.18",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.19.9",
                  "versionStartIncluding": "6.18",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.0",
                  "versionStartIncluding": "6.18",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "6.6.115",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "6.12.56",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "6.17.6",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/mlx5e: RX, Fix XDP multi-buf frag counting for striding RQ\n\nXDP multi-buf programs can modify the layout of the XDP buffer when the\nprogram calls bpf_xdp_pull_data() or bpf_xdp_adjust_tail(). The\nreferenced commit in the fixes tag corrected the assumption in the mlx5\ndriver that the XDP buffer layout doesn\u0027t change during a program\nexecution. However, this fix introduced another issue: the dropped\nfragments still need to be counted on the driver side to avoid page\nfragment reference counting issues.\n\nThe issue was discovered by the drivers/net/xdp.py selftest,\nmore specifically the test_xdp_native_tx_mb:\n- The mlx5 driver allocates a page_pool page and initializes it with\n  a frag counter of 64 (pp_ref_count=64) and the internal frag counter\n  to 0.\n- The test sends one packet with no payload.\n- On RX (mlx5e_skb_from_cqe_mpwrq_nonlinear()), mlx5 configures the XDP\n  buffer with the packet data starting in the first fragment which is the\n  page mentioned above.\n- The XDP program runs and calls bpf_xdp_pull_data() which moves the\n  header into the linear part of the XDP buffer. As the packet doesn\u0027t\n  contain more data, the program drops the tail fragment since it no\n  longer contains any payload (pp_ref_count=63).\n- mlx5 device skips counting this fragment. Internal frag counter\n  remains 0.\n- mlx5 releases all 64 fragments of the page but page pp_ref_count is\n  63 =\u003e negative reference counting error.\n\nResulting splat during the test:\n\n  WARNING: CPU: 0 PID: 188225 at ./include/net/page_pool/helpers.h:297 mlx5e_page_release_fragmented.isra.0+0xbd/0xe0 [mlx5_core]\n  Modules linked in: [...]\n  CPU: 0 UID: 0 PID: 188225 Comm: ip Not tainted 6.18.0-rc7_for_upstream_min_debug_2025_12_08_11_44 #1 NONE\n  Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014\n  RIP: 0010:mlx5e_page_release_fragmented.isra.0+0xbd/0xe0 [mlx5_core]\n  [...]\n  Call Trace:\n   \u003cTASK\u003e\n   mlx5e_free_rx_mpwqe+0x20a/0x250 [mlx5_core]\n   mlx5e_dealloc_rx_mpwqe+0x37/0xb0 [mlx5_core]\n   mlx5e_free_rx_descs+0x11a/0x170 [mlx5_core]\n   mlx5e_close_rq+0x78/0xa0 [mlx5_core]\n   mlx5e_close_queues+0x46/0x2a0 [mlx5_core]\n   mlx5e_close_channel+0x24/0x90 [mlx5_core]\n   mlx5e_close_channels+0x5d/0xf0 [mlx5_core]\n   mlx5e_safe_switch_params+0x2ec/0x380 [mlx5_core]\n   mlx5e_change_mtu+0x11d/0x490 [mlx5_core]\n   mlx5e_change_nic_mtu+0x19/0x30 [mlx5_core]\n   netif_set_mtu_ext+0xfc/0x240\n   do_setlink.isra.0+0x226/0x1100\n   rtnl_newlink+0x7a9/0xba0\n   rtnetlink_rcv_msg+0x220/0x3c0\n   netlink_rcv_skb+0x4b/0xf0\n   netlink_unicast+0x255/0x380\n   netlink_sendmsg+0x1f3/0x420\n   __sock_sendmsg+0x38/0x60\n   ____sys_sendmsg+0x1e8/0x240\n   ___sys_sendmsg+0x7c/0xb0\n   [...]\n   __sys_sendmsg+0x5f/0xb0\n   do_syscall_64+0x55/0xc70\n\nThe problem applies for XDP_PASS as well which is handled in a different\ncode path in the driver.\n\nThis patch fixes the issue by doing page frag counting on all the\noriginal XDP buffer fragments for all relevant XDP actions (XDP_TX ,\nXDP_REDIRECT and XDP_PASS). This is basically reverting to the original\ncounting before the commit in the fixes tag.\n\nAs frag_page is still pointing to the original tail, the nr_frags\nparameter to xdp_update_skb_frags_info() needs to be calculated\nin a different way to reflect the new nr_frags."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-08T14:22:26.822Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/7d7342a18fadcdb70a63b3c930dc63528ce51832"
        },
        {
          "url": "https://git.kernel.org/stable/c/043bd62f748bc9fd98154037aa598cffbd3c667c"
        },
        {
          "url": "https://git.kernel.org/stable/c/db25c42c2e1f9c0d136420fff5e5700f7e771a6f"
        }
      ],
      "title": "net/mlx5e: RX, Fix XDP multi-buf frag counting for striding RQ",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2026-43465",
    "datePublished": "2026-05-08T14:22:26.822Z",
    "dateReserved": "2026-05-01T14:12:56.011Z",
    "dateUpdated": "2026-05-08T14:22:26.822Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2026-43465",
      "date": "2026-05-09",
      "epss": "0.00017",
      "percentile": "0.0429"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2026-43465\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2026-05-08T15:16:59.410\",\"lastModified\":\"2026-05-08T15:16:59.410\",\"vulnStatus\":\"Received\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\nnet/mlx5e: RX, Fix XDP multi-buf frag counting for striding RQ\\n\\nXDP multi-buf programs can modify the layout of the XDP buffer when the\\nprogram calls bpf_xdp_pull_data() or bpf_xdp_adjust_tail(). The\\nreferenced commit in the fixes tag corrected the assumption in the mlx5\\ndriver that the XDP buffer layout doesn\u0027t change during a program\\nexecution. However, this fix introduced another issue: the dropped\\nfragments still need to be counted on the driver side to avoid page\\nfragment reference counting issues.\\n\\nThe issue was discovered by the drivers/net/xdp.py selftest,\\nmore specifically the test_xdp_native_tx_mb:\\n- The mlx5 driver allocates a page_pool page and initializes it with\\n  a frag counter of 64 (pp_ref_count=64) and the internal frag counter\\n  to 0.\\n- The test sends one packet with no payload.\\n- On RX (mlx5e_skb_from_cqe_mpwrq_nonlinear()), mlx5 configures the XDP\\n  buffer with the packet data starting in the first fragment which is the\\n  page mentioned above.\\n- The XDP program runs and calls bpf_xdp_pull_data() which moves the\\n  header into the linear part of the XDP buffer. As the packet doesn\u0027t\\n  contain more data, the program drops the tail fragment since it no\\n  longer contains any payload (pp_ref_count=63).\\n- mlx5 device skips counting this fragment. Internal frag counter\\n  remains 0.\\n- mlx5 releases all 64 fragments of the page but page pp_ref_count is\\n  63 =\u003e negative reference counting error.\\n\\nResulting splat during the test:\\n\\n  WARNING: CPU: 0 PID: 188225 at ./include/net/page_pool/helpers.h:297 mlx5e_page_release_fragmented.isra.0+0xbd/0xe0 [mlx5_core]\\n  Modules linked in: [...]\\n  CPU: 0 UID: 0 PID: 188225 Comm: ip Not tainted 6.18.0-rc7_for_upstream_min_debug_2025_12_08_11_44 #1 NONE\\n  Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014\\n  RIP: 0010:mlx5e_page_release_fragmented.isra.0+0xbd/0xe0 [mlx5_core]\\n  [...]\\n  Call Trace:\\n   \u003cTASK\u003e\\n   mlx5e_free_rx_mpwqe+0x20a/0x250 [mlx5_core]\\n   mlx5e_dealloc_rx_mpwqe+0x37/0xb0 [mlx5_core]\\n   mlx5e_free_rx_descs+0x11a/0x170 [mlx5_core]\\n   mlx5e_close_rq+0x78/0xa0 [mlx5_core]\\n   mlx5e_close_queues+0x46/0x2a0 [mlx5_core]\\n   mlx5e_close_channel+0x24/0x90 [mlx5_core]\\n   mlx5e_close_channels+0x5d/0xf0 [mlx5_core]\\n   mlx5e_safe_switch_params+0x2ec/0x380 [mlx5_core]\\n   mlx5e_change_mtu+0x11d/0x490 [mlx5_core]\\n   mlx5e_change_nic_mtu+0x19/0x30 [mlx5_core]\\n   netif_set_mtu_ext+0xfc/0x240\\n   do_setlink.isra.0+0x226/0x1100\\n   rtnl_newlink+0x7a9/0xba0\\n   rtnetlink_rcv_msg+0x220/0x3c0\\n   netlink_rcv_skb+0x4b/0xf0\\n   netlink_unicast+0x255/0x380\\n   netlink_sendmsg+0x1f3/0x420\\n   __sock_sendmsg+0x38/0x60\\n   ____sys_sendmsg+0x1e8/0x240\\n   ___sys_sendmsg+0x7c/0xb0\\n   [...]\\n   __sys_sendmsg+0x5f/0xb0\\n   do_syscall_64+0x55/0xc70\\n\\nThe problem applies for XDP_PASS as well which is handled in a different\\ncode path in the driver.\\n\\nThis patch fixes the issue by doing page frag counting on all the\\noriginal XDP buffer fragments for all relevant XDP actions (XDP_TX ,\\nXDP_REDIRECT and XDP_PASS). This is basically reverting to the original\\ncounting before the commit in the fixes tag.\\n\\nAs frag_page is still pointing to the original tail, the nr_frags\\nparameter to xdp_update_skb_frags_info() needs to be calculated\\nin a different way to reflect the new nr_frags.\"}],\"metrics\":{},\"references\":[{\"url\":\"https://git.kernel.org/stable/c/043bd62f748bc9fd98154037aa598cffbd3c667c\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/7d7342a18fadcdb70a63b3c930dc63528ce51832\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/db25c42c2e1f9c0d136420fff5e5700f7e771a6f\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.