UBUNTU-CVE-2026-43464
In the Linux kernel, the following vulnerability has been resolved: net/mlx5e: RX, Fix XDP multi-buf frag counting for legacy RQ XDP multi-buf programs can modify the layout of the XDP buffer when the program calls bpf_xdp_pull_data() or bpf_xdp_adjust_tail(). The referenced commit in the fixes tag corrected the assumption in the mlx5 driver that the XDP buffer layout doesn't change during a program execution. However, this fix introduced another issue: the dropped fragments still need to be counted on the driver side to avoid page fragment reference counting issues. Such issue can be observed with the test_xdp_native_adjst_tail_shrnk_data selftest when using a payload of 3600 and shrinking by 256 bytes (an upcoming selftest patch): the last fragment gets released by the XDP code but doesn't get tracked by the driver. This results in a negative pp_ref_count during page release and the following splat: WARNING: include/net/page_pool/helpers.h:297 at mlx5e_page_release_fragmented.isra.0+0x4a/0x50 [mlx5_core], CPU#12: ip/3137 Modules linked in: [...] CPU: 12 UID: 0 PID: 3137 Comm: ip Not tainted 6.19.0-rc3+ #12 NONE Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014 RIP: 0010:mlx5e_page_release_fragmented.isra.0+0x4a/0x50 [mlx5_core] [...] Call Trace: <TASK> mlx5e_dealloc_rx_wqe+0xcb/0x1a0 [mlx5_core] mlx5e_free_rx_descs+0x7f/0x110 [mlx5_core] mlx5e_close_rq+0x50/0x60 [mlx5_core] mlx5e_close_queues+0x36/0x2c0 [mlx5_core] mlx5e_close_channel+0x1c/0x50 [mlx5_core] mlx5e_close_channels+0x45/0x80 [mlx5_core] mlx5e_safe_switch_params+0x1a5/0x230 [mlx5_core] mlx5e_change_mtu+0xf3/0x2f0 [mlx5_core] netif_set_mtu_ext+0xf1/0x230 do_setlink.isra.0+0x219/0x1180 rtnl_newlink+0x79f/0xb60 rtnetlink_rcv_msg+0x213/0x3a0 netlink_rcv_skb+0x48/0xf0 netlink_unicast+0x24a/0x350 netlink_sendmsg+0x1ee/0x410 __sock_sendmsg+0x38/0x60 ____sys_sendmsg+0x232/0x280 ___sys_sendmsg+0x78/0xb0 __sys_sendmsg+0x5f/0xb0 [...] do_syscall_64+0x57/0xc50 This patch fixes the issue by doing page frag counting on all the original XDP buffer fragments for all relevant XDP actions (XDP_TX , XDP_REDIRECT and XDP_PASS). This is basically reverting to the original counting before the commit in the fixes tag. As frag_page is still pointing to the original tail, the nr_frags parameter to xdp_update_skb_frags_info() needs to be calculated in a different way to reflect the new nr_frags.
UBUNTU-CVE-2026-43464
Description
In the Linux kernel, the following vulnerability has been resolved: net/mlx5e: RX, Fix XDP multi-buf frag counting for legacy RQ XDP multi-buf programs can modify the layout of the XDP buffer when the program calls bpf_xdp_pull_data() or bpf_xdp_adjust_tail(). The referenced commit in the fixes tag corrected the assumption in the mlx5 driver that the XDP buffer layout doesn't change during a program execution. However, this fix introduced another issue: the dropped fragments still need to be counted on the driver side to avoid page fragment reference counting issues. Such issue can be observed with the test_xdp_native_adjst_tail_shrnk_data selftest when using a payload of 3600 and shrinking by 256 bytes (an upcoming selftest patch): the last fragment gets released by the XDP code but doesn't get tracked by the driver. This results in a negative pp_ref_count during page release and the following splat: WARNING: include/net/page_pool/helpers.h:297 at mlx5e_page_release_fragmented.isra.0+0x4a/0x50 [mlx5_core], CPU#12: ip/3137 Modules linked in: [...] CPU: 12 UID: 0 PID: 3137 Comm: ip Not tainted 6.19.0-rc3+ #12 NONE Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014 RIP: 0010:mlx5e_page_release_fragmented.isra.0+0x4a/0x50 [mlx5_core] [...] Call Trace: <TASK> mlx5e_dealloc_rx_wqe+0xcb/0x1a0 [mlx5_core] mlx5e_free_rx_descs+0x7f/0x110 [mlx5_core] mlx5e_close_rq+0x50/0x60 [mlx5_core] mlx5e_close_queues+0x36/0x2c0 [mlx5_core] mlx5e_close_channel+0x1c/0x50 [mlx5_core] mlx5e_close_channels+0x45/0x80 [mlx5_core] mlx5e_safe_switch_params+0x1a5/0x230 [mlx5_core] mlx5e_change_mtu+0xf3/0x2f0 [mlx5_core] netif_set_mtu_ext+0xf1/0x230 do_setlink.isra.0+0x219/0x1180 rtnl_newlink+0x79f/0xb60 rtnetlink_rcv_msg+0x213/0x3a0 netlink_rcv_skb+0x48/0xf0 netlink_unicast+0x24a/0x350 netlink_sendmsg+0x1ee/0x410 __sock_sendmsg+0x38/0x60 ____sys_sendmsg+0x232/0x280 ___sys_sendmsg+0x78/0xb0 __sys_sendmsg+0x5f/0xb0 [...] do_syscall_64+0x57/0xc50 This patch fixes the issue by doing page frag counting on all the original XDP buffer fragments for all relevant XDP actions (XDP_TX , XDP_REDIRECT and XDP_PASS). This is basically reverting to the original counting before the commit in the fixes tag. As frag_page is still pointing to the original tail, the nr_frags parameter to xdp_update_skb_frags_info() needs to be calculated in a different way to reflect the new nr_frags.
CVSS v3.1
Affected software
pkg:deb/ubuntu/[email protected]~16.04.1?arch=source&distro=xenialpkg:deb/ubuntu/[email protected]?arch=source&distro=bionicpkg:deb/ubuntu/[email protected]?arch=source&distro=bionicpkg:deb/ubuntu/[email protected]?arch=source&distro=bionicpkg:deb/ubuntu/[email protected]?arch=source&distro=bionicpkg:deb/ubuntu/[email protected]~18.04.2?arch=source&distro=bionicpkg:deb/ubuntu/[email protected]?arch=source&distro=bionicpkg:deb/ubuntu/[email protected]~18.04.1?arch=source&distro=bionicpkg:deb/ubuntu/[email protected]?arch=source&distro=bionicpkg:deb/ubuntu/[email protected]~18.04.1?arch=source&distro=bionicpkg:deb/ubuntu/[email protected]~18.04.1?arch=source&distro=bionicpkg:deb/ubuntu/[email protected]?arch=source&distro=bionicpkg:deb/ubuntu/[email protected]~18.04.2?arch=source&distro=bionicpkg:deb/ubuntu/[email protected]?arch=source&distro=bionicpkg:deb/ubuntu/[email protected]?arch=source&distro=bionicpkg:deb/ubuntu/[email protected]~18.04.1?arch=source&distro=bionicpkg:deb/ubuntu/[email protected]~20.04.1?arch=source&distro=focalpkg:deb/ubuntu/[email protected]~20.04.1?arch=source&distro=focalpkg:deb/ubuntu/[email protected]~20.04.1?arch=source&distro=focalpkg:deb/ubuntu/[email protected]~20.04.2?arch=source&distro=focalpkg:deb/ubuntu/[email protected]~20.04.1?arch=source&distro=focalpkg:deb/ubuntu/[email protected]~20.04.1?arch=source&distro=focalpkg:deb/ubuntu/[email protected]+cvm1.1?arch=source&distro=focalpkg:deb/ubuntu/[email protected]~20.04.3?arch=source&distro=focalpkg:deb/ubuntu/[email protected]~20.04.1?arch=source&distro=focalpkg:deb/ubuntu/[email protected]?arch=source&distro=focalpkg:deb/ubuntu/[email protected]?arch=source&distro=focalpkg:deb/ubuntu/[email protected]~20.04.1?arch=source&distro=focalpkg:deb/ubuntu/[email protected]?arch=source&distro=focalpkg:deb/ubuntu/[email protected]~20.04.1?arch=source&distro=focalpkg:deb/ubuntu/[email protected]~20.04.1?arch=source&distro=focalpkg:deb/ubuntu/[email protected]~20.04.1?arch=source&distro=focalpkg:deb/ubuntu/[email protected]~20.04.1?arch=source&distro=focalpkg:deb/ubuntu/[email protected]?arch=source&distro=focalpkg:deb/ubuntu/[email protected]?arch=source&distro=focalpkg:deb/ubuntu/[email protected]?arch=source&distro=focalpkg:deb/ubuntu/[email protected]?arch=source&distro=focalpkg:deb/ubuntu/[email protected]?arch=source&distro=focalpkg:deb/ubuntu/[email protected]~20.04.1?arch=source&distro=focalpkg:deb/ubuntu/[email protected]~20.04.1?arch=source&distro=focalpkg:deb/ubuntu/[email protected]~20.04.1?arch=source&distro=focalpkg:deb/ubuntu/[email protected]?arch=source&distro=focalpkg:deb/ubuntu/[email protected]?arch=source&distro=focalpkg:deb/ubuntu/[email protected]?arch=source&distro=focalpkg:deb/ubuntu/[email protected]~20.04.1?arch=source&distro=focalpkg:deb/ubuntu/[email protected]~22.04.1?arch=source&distro=jammypkg:deb/ubuntu/[email protected]~22.04.1?arch=source&distro=jammypkg:deb/ubuntu/[email protected]~22.04.1?arch=source&distro=jammypkg:deb/ubuntu/[email protected]~22.04.1?arch=source&distro=jammypkg:deb/ubuntu/[email protected]~22.04.1?arch=source&distro=jammypkg:deb/ubuntu/[email protected]~22.04.2?arch=source&distro=jammypkg:deb/ubuntu/[email protected]~22.04.1?arch=source&distro=jammypkg:deb/ubuntu/[email protected]~22.04.1?arch=source&distro=jammypkg:deb/ubuntu/[email protected]~22.04.1?arch=source&distro=jammypkg:deb/ubuntu/[email protected]~22.04.2.1?arch=source&distro=jammypkg:deb/ubuntu/[email protected]~22.04.1.1?arch=source&distro=jammypkg:deb/ubuntu/[email protected]~22.04.1?arch=source&distro=jammypkg:deb/ubuntu/[email protected]~22.04.1?arch=source&distro=jammypkg:deb/ubuntu/[email protected]~22.04.1?arch=source&distro=jammypkg:deb/ubuntu/[email protected]~22.04.1?arch=source&distro=jammypkg:deb/ubuntu/[email protected]~22.04.1?arch=source&distro=jammypkg:deb/ubuntu/[email protected]?arch=source&distro=jammypkg:deb/ubuntu/[email protected]~22.04.1?arch=source&distro=jammypkg:deb/ubuntu/[email protected]~22.04.1?arch=source&distro=jammypkg:deb/ubuntu/[email protected]~22.04.1?arch=source&distro=jammypkg:deb/ubuntu/[email protected]~22.04.1?arch=source&distro=jammypkg:deb/ubuntu/[email protected]?arch=source&distro=jammypkg:deb/ubuntu/[email protected]?arch=source&distro=jammypkg:deb/ubuntu/[email protected]~22.04.1?arch=source&distro=jammypkg:deb/ubuntu/[email protected]~22.04.1?arch=source&distro=jammypkg:deb/ubuntu/[email protected]~22.04.1?arch=source&distro=jammypkg:deb/ubuntu/[email protected]?arch=source&distro=jammypkg:deb/ubuntu/[email protected]?arch=source&distro=jammypkg:deb/ubuntu/[email protected]~22.04.1?arch=source&distro=jammypkg:deb/ubuntu/[email protected]?arch=source&distro=jammypkg:deb/ubuntu/[email protected]?arch=source&distro=jammypkg:deb/ubuntu/[email protected]?arch=source&distro=jammypkg:deb/ubuntu/[email protected]?arch=source&distro=jammypkg:deb/ubuntu/[email protected]~22.04.1?arch=source&distro=jammypkg:deb/ubuntu/[email protected]~22.04.1?arch=source&distro=jammypkg:deb/ubuntu/[email protected]?arch=source&distro=jammypkg:deb/ubuntu/[email protected]?arch=source&distro=jammypkg:deb/ubuntu/[email protected]~22.04.1?arch=source&distro=jammypkg:deb/ubuntu/[email protected]~22.04.1?arch=source&distro=jammypkg:deb/ubuntu/[email protected]~22.04.1?arch=source&distro=jammypkg:deb/ubuntu/[email protected]~22.04.1?arch=source&distro=jammypkg:deb/ubuntu/[email protected]~22.04.1?arch=source&distro=jammypkg:deb/ubuntu/[email protected]~22.04.1?arch=source&distro=jammypkg:deb/ubuntu/[email protected]~22.04.2?arch=source&distro=realtime/jammypkg:deb/ubuntu/[email protected]?arch=source&distro=noblepkg:deb/ubuntu/[email protected]?arch=source&distro=noblepkg:deb/ubuntu/[email protected]~24.04.1?arch=source&distro=noblepkg:deb/ubuntu/[email protected]~24.04.1?arch=source&distro=noblepkg:deb/ubuntu/[email protected]?arch=source&distro=noblepkg:deb/ubuntu/[email protected]~24.04.1?arch=source&distro=noblepkg:deb/ubuntu/[email protected]~24.04.1?arch=source&distro=noblepkg:deb/ubuntu/[email protected]?arch=source&distro=noblepkg:deb/ubuntu/[email protected]~24.04.1?arch=source&distro=noblepkg:deb/ubuntu/[email protected]?arch=source&distro=noblepkg:deb/ubuntu/[email protected]?arch=source&distro=noblepkg:deb/ubuntu/[email protected]~24.04.1?arch=source&distro=noblepkg:deb/ubuntu/[email protected]~24.04.1?arch=source&distro=noblepkg:deb/ubuntu/[email protected]~24.04.1?arch=source&distro=noblepkg:deb/ubuntu/[email protected]?arch=source&distro=noblepkg:deb/ubuntu/[email protected]?arch=source&distro=noblepkg:deb/ubuntu/[email protected]~24.04.1?arch=source&distro=noblepkg:deb/ubuntu/[email protected]~24.04.1?arch=source&distro=noblepkg:deb/ubuntu/[email protected]~24.04.1?arch=source&distro=noblepkg:deb/ubuntu/[email protected]?arch=source&distro=noblepkg:deb/ubuntu/[email protected]?arch=source&distro=noblepkg:deb/ubuntu/[email protected]~24.04.1?arch=source&distro=noblepkg:deb/ubuntu/[email protected]?arch=source&distro=noblepkg:deb/ubuntu/[email protected]?arch=source&distro=noblepkg:deb/ubuntu/[email protected]?arch=source&distro=noblepkg:deb/ubuntu/[email protected]?arch=source&distro=noblepkg:deb/ubuntu/[email protected]?arch=source&distro=noblepkg:deb/ubuntu/[email protected]?arch=source&distro=noblepkg:deb/ubuntu/[email protected]?arch=source&distro=noblepkg:deb/ubuntu/[email protected]?arch=source&distro=noblepkg:deb/ubuntu/[email protected]?arch=source&distro=noblepkg:deb/ubuntu/[email protected]?arch=source&distro=noblepkg:deb/ubuntu/[email protected]~24.04.1?arch=source&distro=noblepkg:deb/ubuntu/[email protected]~24.04.1?arch=source&distro=noblepkg:deb/ubuntu/[email protected]?arch=source&distro=noblepkg:deb/ubuntu/[email protected]?arch=source&distro=noblepkg:deb/ubuntu/[email protected]?arch=source&distro=noblepkg:deb/ubuntu/[email protected]?arch=source&distro=noblepkg:deb/ubuntu/[email protected]~24.04.1?arch=source&distro=noblepkg:deb/ubuntu/[email protected]~24.04.1?arch=source&distro=noblepkg:deb/ubuntu/[email protected]?arch=source&distro=noblepkg:deb/ubuntu/[email protected]?arch=source&distro=bluefield/noblepkg:deb/ubuntu/[email protected]+fips1?arch=source&distro=fips-updates/noblepkg:deb/ubuntu/[email protected]+fips1?arch=source&distro=fips-updates/noblepkg:deb/ubuntu/[email protected]+fips1?arch=source&distro=fips-updates/noblepkg:deb/ubuntu/[email protected]+fips1?arch=source&distro=fips-updates/noblepkg:deb/ubuntu/[email protected]?arch=source&distro=realtime/noblepkg:deb/ubuntu/[email protected]?arch=source&distro=realtime/noblepkg:deb/ubuntu/[email protected]~24.04.1?arch=source&distro=realtime/noblepkg:deb/ubuntu/[email protected]~24.04.1?arch=source&distro=realtime/noblepkg:deb/ubuntu/[email protected]?arch=source&distro=questingpkg:deb/ubuntu/[email protected]?arch=source&distro=questingpkg:deb/ubuntu/[email protected]?arch=source&distro=questingpkg:deb/ubuntu/[email protected]?arch=source&distro=questingpkg:deb/ubuntu/[email protected]?arch=source&distro=questingpkg:deb/ubuntu/[email protected]?arch=source&distro=questingpkg:deb/ubuntu/[email protected]?arch=source&distro=questingpkg:deb/ubuntu/[email protected]?arch=source&distro=questingpkg:deb/ubuntu/[email protected]?arch=source&distro=questingpkg:deb/ubuntu/[email protected]?arch=source&distro=resoluteRun on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.
Technical Details
- Gcve Source
- db.gcve.eu
- Osv Id
- UBUNTU-CVE-2026-43464
- Osv Schema Version
- 1.7.0
- Aliases
- []
- Ecosystems
- ["Ubuntu:16.04:LTS","Ubuntu:18.04:LTS","Ubuntu:20.04:LTS","Ubuntu:22.04:LTS","Ubuntu:Pro:Realtime:22.04:LTS","Ubuntu:24.04:LTS","Ubuntu:Nvidia-BlueField:24.04:LTS","Ubuntu:Pro:FIPS-updates:24.04:LTS","Ubuntu:Pro:Realtime:24.04:LTS","Ubuntu:25.10","Ubuntu:26.04:LTS"]
- Database Specific Severity
- null
- Cvss Version
- 3.1
Threat ID: 6a5a026c91ae9bcd3f836c32
Added to database: 07/17/2026, 10:22:36 UTC
Last updated: 07/17/2026, 10:22:36 UTC
Views: 1
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.