CVE-2026-43465

CRITICALNVD 9.89.8
EchelonGraph scoreMEDIUM confidence

Score 9.8 from GitHub Security Advisory (severity: CRITICAL) published 2026-05-08. NVD baseline CVSS 9.8; sources differ by 0.0.

Triggered by: GitHub Security Advisory CVSS
Sources: epss, ghsa, nvd
9.8
EchelonGraph verdictPlan a fixSerious severity, but no confirmed exploitation yet.
  • High severity, but no confirmed exploitation yet
CISA-KEV: Not listedEPSS: 0%CVSS: 9.8Exploit: NoneExposed: 0

No vendor fix yet — apply a workaround or compensating control (WAF / firewall / segmentation) and watch for a patch.

In the Linux kernel, the following vulnerability has been resolved:

net/mlx5e: RX, Fix XDP multi-buf frag counting for striding RQ

XDP multi-buf programs can modify the layout of the XDP buffer when the program calls bpf_xdp_pull_data() or bpf_xdp_adjust_tail(). The referenced commit in the fixes tag corrected the assumption in the mlx5 driver that the XDP buffer layout doesn't change during a program execution. However, this fix introduced another issue: the dropped fragments still need to be counted on the driver side to avoid page fragment reference counting issues.

The issue was discovered by the drivers/net/xdp.py selftest, more specifically the test_xdp_native_tx_mb:

  • The mlx5 driver allocates a page_pool page and initializes it with
a frag counter of 64 (pp_ref_count=64) and the internal frag counter to 0.
  • The test sends one packet with no payload.
  • On RX (mlx5e_skb_from_cqe_mpwrq_nonlinear()), mlx5 configures the XDP
buffer with the packet data starting in the first fragment which is the page mentioned above.
  • The XDP program runs and calls bpf_xdp_pull_data() which moves the
header into the linear part of the XDP buffer. As the packet doesn't contain more data, the program drops the tail fragment since it no longer contains any payload (pp_ref_count=63).
  • mlx5 device skips counting this fragment. Internal frag counter
remains 0.
  • mlx5 releases all 64 fragments of the page but page pp_ref_count is
63 => negative reference counting error.

Resulting splat during the test:

WARNING: CPU: 0 PID: 188225 at ./include/net/page_pool/helpers.h:297 mlx5e_page_release_fragmented.isra.0+0xbd/0xe0 [mlx5_core] Modules linked in: [...] CPU: 0 UID: 0 PID: 188225 Comm: ip Not tainted 6.18.0-rc7_for_upstream_min_debug_2025_12_08_11_44 #1 NONE Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014 RIP: 0010:mlx5e_page_release_fragmented.isra.0+0xbd/0xe0 [mlx5_core] [...] Call Trace: mlx5e_free_rx_mpwqe+0x20a/0x250 [mlx5_core] mlx5e_dealloc_rx_mpwqe+0x37/0xb0 [mlx5_core] mlx5e_free_rx_descs+0x11a/0x170 [mlx5_core] mlx5e_close_rq+0x78/0xa0 [mlx5_core] mlx5e_close_queues+0x46/0x2a0 [mlx5_core] mlx5e_close_channel+0x24/0x90 [mlx5_core] mlx5e_close_channels+0x5d/0xf0 [mlx5_core] mlx5e_safe_switch_params+0x2ec/0x380 [mlx5_core] mlx5e_change_mtu+0x11d/0x490 [mlx5_core] mlx5e_change_nic_mtu+0x19/0x30 [mlx5_core] netif_set_mtu_ext+0xfc/0x240 do_setlink.isra.0+0x226/0x1100 rtnl_newlink+0x7a9/0xba0 rtnetlink_rcv_msg+0x220/0x3c0 netlink_rcv_skb+0x4b/0xf0 netlink_unicast+0x255/0x380 netlink_sendmsg+0x1f3/0x420 __sock_sendmsg+0x38/0x60 ____sys_sendmsg+0x1e8/0x240 ___sys_sendmsg+0x7c/0xb0 [...] __sys_sendmsg+0x5f/0xb0 do_syscall_64+0x55/0xc70

The problem applies for XDP_PASS as well which is handled in a different code path in the driver.

This patch fixes the issue by doing page frag counting on all the original XDP buffer fragments for all relevant XDP actions (XDP_TX , XDP_REDIRECT and XDP_PASS). This is basically reverting to the original counting before the commit in the fixes tag.

As frag_page is still pointing to the original tail, the nr_frags parameter to xdp_update_skb_frags_info() needs to be calculated in a different way to reflect the new nr_frags.

CVSS v3
9.8
EG Score
9.8(medium)
EPSS
33.6%
KEV
Not listed

Published

May 8, 2026

Last Modified

May 20, 2026

Advisory Details (3)

Auto-updated Jun 21, 2026
No patch confirmed yet.
generic

net/mlx5e: RX, Fix XDP multi-buf frag counting for striding RQ - kernel/git/stable/linux.git - Linux kernel stable tree

https://git.kernel.org/stable/c/db25c42c2e1f9c0d136420fff5e5700f7e771a6f
generic

net/mlx5e: RX, Fix XDP multi-buf frag counting for striding RQ - kernel/git/stable/linux.git - Linux kernel stable tree

https://git.kernel.org/stable/c/7d7342a18fadcdb70a63b3c930dc63528ce51832
generic

net/mlx5e: RX, Fix XDP multi-buf frag counting for striding RQ - kernel/git/stable/linux.git - Linux kernel stable tree

https://git.kernel.org/stable/c/043bd62f748bc9fd98154037aa598cffbd3c667c

Vendor Advisories for CVE-2026-43465(1)

These vendors published their own advisory mentioning this CVE — often with vendor-specific remediation steps + affected product lists not in NVD.

Data Freshness Timeline

(refreshed 7× in last 7d / 45× in last 30d)

Each row is a source pipeline that fetched or updated this CVE on that date, with what changed. For example, "NVD update" means NVD published or revised its analysis for this CVE; "MITRE cvelistV5" means we ingested or refreshed it from the CNA feed. Most recent first.

Showing the most recent 100 of 264 total refreshes for this CVE.

  1. 2026-07-15 16:57 UTCEPSS rescore
  2. 2026-07-15 02:00 UTCEPSS rescore
  3. 2026-07-13 22:30 UTCEPSS rescore
  4. 2026-07-13 06:13 UTCEPSS rescore
  5. 2026-07-12 05:46 UTCEPSS rescore
  6. 2026-07-11 08:27 UTCEPSS rescore
  7. 2026-07-09 19:10 UTCEPSS rescore
  8. 2026-07-07 13:46 UTCEPSS rescore
  9. 2026-07-06 16:27 UTCEPSS rescore
  10. 2026-07-06 02:23 UTCEPSS rescore
  11. 2026-07-05 02:30 UTCEPSS rescore
  12. 2026-07-04 06:31 UTCEPSS rescore
  13. 2026-07-01 15:07 UTCEPSS rescore
  14. 2026-06-30 23:22 UTCEPSS rescore
  15. 2026-06-28 14:07 UTCEPSS rescore
  16. 2026-06-28 08:55 UTCEG score recompute
  17. 2026-06-28 08:55 UTCGHSA enrichment
  18. 2026-06-28 04:56 UTCEPSS rescore
  19. 2026-06-28 04:19 UTCEG score recompute
  20. 2026-06-28 04:19 UTCGHSA enrichment
  21. 2026-06-27 13:21 UTCEG score recompute
  22. 2026-06-27 13:21 UTCGHSA enrichment
  23. 2026-06-27 03:08 UTCEPSS rescore
  24. 2026-06-26 21:20 UTCEG score recompute
  25. 2026-06-26 21:20 UTCGHSA enrichment
Show 75 more
  1. 2026-06-25 13:49 UTCEPSS rescore
  2. 2026-06-25 13:49 UTCEPSS rescore
  3. 2026-06-24 14:05 UTCEPSS rescore
  4. 2026-06-23 21:33 UTCEPSS rescore
  5. 2026-06-22 14:25 UTCEPSS rescore
  6. 2026-06-22 14:25 UTCEPSS rescore
  7. 2026-06-21 14:56 UTCEPSS rescore
  8. 2026-06-21 14:56 UTCEPSS rescore
  9. 2026-06-21 01:59 UTCEPSS rescore
  10. 2026-06-19 19:25 UTCEPSS rescore
  11. 2026-06-18 17:52 UTCEPSS rescore
  12. 2026-06-18 17:52 UTCEPSS rescore
  13. 2026-06-17 17:53 UTCEPSS rescore
  14. 2026-06-17 05:47 UTCEG score recompute
  15. 2026-06-17 05:47 UTCGHSA enrichment
  16. 2026-06-17 01:27 UTCEG score recompute
  17. 2026-06-17 01:27 UTCGHSA enrichment
  18. 2026-06-16 17:52 UTCEPSS rescore
  19. 2026-06-16 08:07 UTCEG score recompute
  20. 2026-06-16 08:07 UTCGHSA enrichment
  21. 2026-06-15 17:49 UTCEPSS rescore
  22. 2026-06-15 05:50 UTCEG score recompute
  23. 2026-06-15 05:50 UTCGHSA enrichment
  24. 2026-06-15 02:06 UTCEG score recompute
  25. 2026-06-15 02:06 UTCGHSA enrichment
  26. 2026-06-14 22:22 UTCEG score recompute
  27. 2026-06-14 22:22 UTCGHSA enrichment
  28. 2026-06-14 18:34 UTCEG score recompute
  29. 2026-06-14 18:34 UTCGHSA enrichment
  30. 2026-06-14 14:50 UTCEG score recompute
  31. 2026-06-14 14:49 UTCGHSA enrichment
  32. 2026-06-14 10:36 UTCEG score recompute
  33. 2026-06-14 10:36 UTCGHSA enrichment
  34. 2026-06-14 06:45 UTCEG score recompute
  35. 2026-06-14 06:45 UTCGHSA enrichment
  36. 2026-06-14 02:33 UTCEG score recompute
  37. 2026-06-14 02:33 UTCGHSA enrichment
  38. 2026-06-13 23:00 UTCEPSS rescore
  39. 2026-06-12 23:47 UTCEG score recompute
  40. 2026-06-12 23:47 UTCGHSA enrichment
  41. 2026-06-12 23:12 UTCEPSS rescore
  42. 2026-06-12 23:12 UTCEPSS rescore
  43. 2026-06-12 20:02 UTCEG score recompute
  44. 2026-06-12 20:02 UTCGHSA enrichment
  45. 2026-06-12 11:50 UTCEG score recompute
  46. 2026-06-12 11:50 UTCGHSA enrichment
  47. 2026-06-12 08:06 UTCEG score recompute
  48. 2026-06-12 08:06 UTCGHSA enrichment
  49. 2026-06-12 04:21 UTCEG score recompute
  50. 2026-06-12 04:21 UTCGHSA enrichment
  51. 2026-06-12 00:37 UTCEG score recompute
  52. 2026-06-12 00:37 UTCGHSA enrichment
  53. 2026-06-11 20:53 UTCEG score recompute
  54. 2026-06-11 20:53 UTCGHSA enrichment
  55. 2026-06-11 17:09 UTCEG score recompute
  56. 2026-06-11 17:09 UTCGHSA enrichment
  57. 2026-06-11 14:00 UTCEPSS rescore
  58. 2026-06-11 12:12 UTCEG score recompute
  59. 2026-06-11 12:12 UTCGHSA enrichment
  60. 2026-06-11 08:27 UTCEG score recompute
  61. 2026-06-11 08:27 UTCGHSA enrichment
  62. 2026-06-11 04:44 UTCEG score recompute
  63. 2026-06-11 04:43 UTCGHSA enrichment
  64. 2026-06-11 00:59 UTCEG score recompute
  65. 2026-06-11 00:59 UTCGHSA enrichment
  66. 2026-06-10 22:18 UTCEPSS rescore
  67. 2026-06-10 21:15 UTCEG score recompute
  68. 2026-06-10 21:15 UTCGHSA enrichment
  69. 2026-06-10 17:31 UTCEG score recompute
  70. 2026-06-10 17:31 UTCGHSA enrichment
  71. 2026-06-10 13:47 UTCEG score recompute
  72. 2026-06-10 13:47 UTCGHSA enrichment
  73. 2026-06-10 13:22 UTCEPSS rescore
  74. 2026-06-10 13:22 UTCEPSS rescore
  75. 2026-06-10 10:03 UTCEG score recompute

Frequently asked(5)

What is CVE-2026-43465?
CVE-2026-43465 is a critical vulnerability published on May 8, 2026. In the Linux kernel, the following vulnerability has been resolved: net/mlx5e: RX, Fix XDP multi-buf frag counting for striding RQ XDP multi-buf programs can modify the layout of the XDP buffer when the program calls bpfxdppulldata() or bpfxdpadjusttail(). The referenced commit in the fixes tag…
When was CVE-2026-43465 disclosed?
CVE-2026-43465 was first published in the National Vulnerability Database on May 8, 2026, with the most recent update on May 20, 2026. EchelonGraph re-ingests CVE updates from NVD on a 2-hour cycle, so this page reflects the latest published state.
Is CVE-2026-43465 actively exploited?
CVE-2026-43465 is not currently on CISA's Known Exploited Vulnerabilities catalog. FIRST EPSS estimates a 33.6% percentile likelihood of exploitation in the next 30 days — higher percentiles indicate greater predicted risk.
What is the CVSS score of CVE-2026-43465?
CVE-2026-43465 has a CVSS v3 base score of 9.8 (NVD).
How do I remediate CVE-2026-43465?
Patch to the fixed version published by the affected vendor. Where vendor advisories exist for CVE-2026-43465, EchelonGraph cross-links them in the Vendor Advisories panel below — those typically contain the canonical remediation steps, fixed version numbers, and any vendor-specific mitigations.

Dependency Blast Radius

Explore the affected products and dependency analysis for CVE-2026-43465

Explore →

Is Your Infrastructure Affected by CVE-2026-43465?

EchelonGraph automatically scans your cloud infrastructure and maps CVE exposure using blast radius analysis.