{"api_version":"1","generated_at":"2026-05-11T11:03:43+00:00","cve":"CVE-2026-43465","urls":{"html":"https://cve.report/CVE-2026-43465","api":"https://cve.report/api/cve/CVE-2026-43465.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2026-43465","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2026-43465"},"summary":{"title":"net/mlx5e: RX, Fix XDP multi-buf frag counting for striding RQ","description":"In the Linux kernel, the following vulnerability has been resolved:\n\nnet/mlx5e: RX, Fix XDP multi-buf frag counting for striding RQ\n\nXDP multi-buf programs can modify the layout of the XDP buffer when the\nprogram calls bpf_xdp_pull_data() or bpf_xdp_adjust_tail(). The\nreferenced commit in the fixes tag corrected the assumption in the mlx5\ndriver that the XDP buffer layout doesn't change during a program\nexecution. However, this fix introduced another issue: the dropped\nfragments still need to be counted on the driver side to avoid page\nfragment reference counting issues.\n\nThe issue was discovered by the drivers/net/xdp.py selftest,\nmore specifically the test_xdp_native_tx_mb:\n- The mlx5 driver allocates a page_pool page and initializes it with\n  a frag counter of 64 (pp_ref_count=64) and the internal frag counter\n  to 0.\n- The test sends one packet with no payload.\n- On RX (mlx5e_skb_from_cqe_mpwrq_nonlinear()), mlx5 configures the XDP\n  buffer with the packet data starting in the first fragment which is the\n  page mentioned above.\n- The XDP program runs and calls bpf_xdp_pull_data() which moves the\n  header into the linear part of the XDP buffer. As the packet doesn't\n  contain more data, the program drops the tail fragment since it no\n  longer contains any payload (pp_ref_count=63).\n- mlx5 device skips counting this fragment. Internal frag counter\n  remains 0.\n- mlx5 releases all 64 fragments of the page but page pp_ref_count is\n  63 => negative reference counting error.\n\nResulting splat during the test:\n\n  WARNING: CPU: 0 PID: 188225 at ./include/net/page_pool/helpers.h:297 mlx5e_page_release_fragmented.isra.0+0xbd/0xe0 [mlx5_core]\n  Modules linked in: [...]\n  CPU: 0 UID: 0 PID: 188225 Comm: ip Not tainted 6.18.0-rc7_for_upstream_min_debug_2025_12_08_11_44 #1 NONE\n  Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014\n  RIP: 0010:mlx5e_page_release_fragmented.isra.0+0xbd/0xe0 [mlx5_core]\n  [...]\n  Call Trace:\n   <TASK>\n   mlx5e_free_rx_mpwqe+0x20a/0x250 [mlx5_core]\n   mlx5e_dealloc_rx_mpwqe+0x37/0xb0 [mlx5_core]\n   mlx5e_free_rx_descs+0x11a/0x170 [mlx5_core]\n   mlx5e_close_rq+0x78/0xa0 [mlx5_core]\n   mlx5e_close_queues+0x46/0x2a0 [mlx5_core]\n   mlx5e_close_channel+0x24/0x90 [mlx5_core]\n   mlx5e_close_channels+0x5d/0xf0 [mlx5_core]\n   mlx5e_safe_switch_params+0x2ec/0x380 [mlx5_core]\n   mlx5e_change_mtu+0x11d/0x490 [mlx5_core]\n   mlx5e_change_nic_mtu+0x19/0x30 [mlx5_core]\n   netif_set_mtu_ext+0xfc/0x240\n   do_setlink.isra.0+0x226/0x1100\n   rtnl_newlink+0x7a9/0xba0\n   rtnetlink_rcv_msg+0x220/0x3c0\n   netlink_rcv_skb+0x4b/0xf0\n   netlink_unicast+0x255/0x380\n   netlink_sendmsg+0x1f3/0x420\n   __sock_sendmsg+0x38/0x60\n   ____sys_sendmsg+0x1e8/0x240\n   ___sys_sendmsg+0x7c/0xb0\n   [...]\n   __sys_sendmsg+0x5f/0xb0\n   do_syscall_64+0x55/0xc70\n\nThe problem applies for XDP_PASS as well which is handled in a different\ncode path in the driver.\n\nThis patch fixes the issue by doing page frag counting on all the\noriginal XDP buffer fragments for all relevant XDP actions (XDP_TX ,\nXDP_REDIRECT and XDP_PASS). This is basically reverting to the original\ncounting before the commit in the fixes tag.\n\nAs frag_page is still pointing to the original tail, the nr_frags\nparameter to xdp_update_skb_frags_info() needs to be calculated\nin a different way to reflect the new nr_frags.","state":"PUBLISHED","assigner":"Linux","published_at":"2026-05-08 15:16:59","updated_at":"2026-05-11 08:16:15"},"problem_types":[],"metrics":[{"version":"3.1","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","type":"Secondary","score":"9.8","severity":"CRITICAL","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","data":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","baseScore":9.8,"baseSeverity":"CRITICAL","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"}},{"version":"3.1","source":"CNA","type":"DECLARED","score":"9.8","severity":"CRITICAL","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","data":{"baseScore":9.8,"baseSeverity":"CRITICAL","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","version":"3.1"}}],"references":[{"url":"https://git.kernel.org/stable/c/db25c42c2e1f9c0d136420fff5e5700f7e771a6f","name":"https://git.kernel.org/stable/c/db25c42c2e1f9c0d136420fff5e5700f7e771a6f","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/043bd62f748bc9fd98154037aa598cffbd3c667c","name":"https://git.kernel.org/stable/c/043bd62f748bc9fd98154037aa598cffbd3c667c","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/7d7342a18fadcdb70a63b3c930dc63528ce51832","name":"https://git.kernel.org/stable/c/7d7342a18fadcdb70a63b3c930dc63528ce51832","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://www.cve.org/CVERecord?id=CVE-2026-43465","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-43465","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 87bcef158ac1faca1bd7e0104588e8e2956d10be 7d7342a18fadcdb70a63b3c930dc63528ce51832 git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 87bcef158ac1faca1bd7e0104588e8e2956d10be 043bd62f748bc9fd98154037aa598cffbd3c667c git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 87bcef158ac1faca1bd7e0104588e8e2956d10be db25c42c2e1f9c0d136420fff5e5700f7e771a6f git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 8b051d7f530e8a5237da242fbeafef02fec6b813 git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected cb9edd583e23979ee546981be963ad5f217e8b18 git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected f2557d7fa38e9475b38588f5c124476091480f53 git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 6.18","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 6.18 semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 6.18.19 6.18.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 6.19.9 6.19.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 7.0 * original_commit_for_fix","platforms":[]}],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[],"vendor_comments":[],"enrichments":{"kev":null,"epss":{"cve_year":"2026","cve_id":"43465","cve":"CVE-2026-43465","epss":"0.000170000","percentile":"0.043040000","score_date":"2026-05-10","updated_at":"2026-05-11 00:14:41"},"legacy_qids":[]},"source_records":{"cve_program":{"containers":{"cna":{"affected":[{"defaultStatus":"unaffected","product":"Linux","programFiles":["drivers/net/ethernet/mellanox/mlx5/core/en_rx.c"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","vendor":"Linux","versions":[{"lessThan":"7d7342a18fadcdb70a63b3c930dc63528ce51832","status":"affected","version":"87bcef158ac1faca1bd7e0104588e8e2956d10be","versionType":"git"},{"lessThan":"043bd62f748bc9fd98154037aa598cffbd3c667c","status":"affected","version":"87bcef158ac1faca1bd7e0104588e8e2956d10be","versionType":"git"},{"lessThan":"db25c42c2e1f9c0d136420fff5e5700f7e771a6f","status":"affected","version":"87bcef158ac1faca1bd7e0104588e8e2956d10be","versionType":"git"},{"status":"affected","version":"8b051d7f530e8a5237da242fbeafef02fec6b813","versionType":"git"},{"status":"affected","version":"cb9edd583e23979ee546981be963ad5f217e8b18","versionType":"git"},{"status":"affected","version":"f2557d7fa38e9475b38588f5c124476091480f53","versionType":"git"}]},{"defaultStatus":"affected","product":"Linux","programFiles":["drivers/net/ethernet/mellanox/mlx5/core/en_rx.c"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","vendor":"Linux","versions":[{"status":"affected","version":"6.18"},{"lessThan":"6.18","status":"unaffected","version":"0","versionType":"semver"},{"lessThanOrEqual":"6.18.*","status":"unaffected","version":"6.18.19","versionType":"semver"},{"lessThanOrEqual":"6.19.*","status":"unaffected","version":"6.19.9","versionType":"semver"},{"lessThanOrEqual":"*","status":"unaffected","version":"7.0","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"cpeMatch":[{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"6.18.19","versionStartIncluding":"6.18","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"6.19.9","versionStartIncluding":"6.18","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"7.0","versionStartIncluding":"6.18","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.6.115","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.12.56","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.17.6","vulnerable":true}],"negate":false,"operator":"OR"}]}],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nnet/mlx5e: RX, Fix XDP multi-buf frag counting for striding RQ\n\nXDP multi-buf programs can modify the layout of the XDP buffer when the\nprogram calls bpf_xdp_pull_data() or bpf_xdp_adjust_tail(). The\nreferenced commit in the fixes tag corrected the assumption in the mlx5\ndriver that the XDP buffer layout doesn't change during a program\nexecution. However, this fix introduced another issue: the dropped\nfragments still need to be counted on the driver side to avoid page\nfragment reference counting issues.\n\nThe issue was discovered by the drivers/net/xdp.py selftest,\nmore specifically the test_xdp_native_tx_mb:\n- The mlx5 driver allocates a page_pool page and initializes it with\n  a frag counter of 64 (pp_ref_count=64) and the internal frag counter\n  to 0.\n- The test sends one packet with no payload.\n- On RX (mlx5e_skb_from_cqe_mpwrq_nonlinear()), mlx5 configures the XDP\n  buffer with the packet data starting in the first fragment which is the\n  page mentioned above.\n- The XDP program runs and calls bpf_xdp_pull_data() which moves the\n  header into the linear part of the XDP buffer. As the packet doesn't\n  contain more data, the program drops the tail fragment since it no\n  longer contains any payload (pp_ref_count=63).\n- mlx5 device skips counting this fragment. Internal frag counter\n  remains 0.\n- mlx5 releases all 64 fragments of the page but page pp_ref_count is\n  63 => negative reference counting error.\n\nResulting splat during the test:\n\n  WARNING: CPU: 0 PID: 188225 at ./include/net/page_pool/helpers.h:297 mlx5e_page_release_fragmented.isra.0+0xbd/0xe0 [mlx5_core]\n  Modules linked in: [...]\n  CPU: 0 UID: 0 PID: 188225 Comm: ip Not tainted 6.18.0-rc7_for_upstream_min_debug_2025_12_08_11_44 #1 NONE\n  Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014\n  RIP: 0010:mlx5e_page_release_fragmented.isra.0+0xbd/0xe0 [mlx5_core]\n  [...]\n  Call Trace:\n   <TASK>\n   mlx5e_free_rx_mpwqe+0x20a/0x250 [mlx5_core]\n   mlx5e_dealloc_rx_mpwqe+0x37/0xb0 [mlx5_core]\n   mlx5e_free_rx_descs+0x11a/0x170 [mlx5_core]\n   mlx5e_close_rq+0x78/0xa0 [mlx5_core]\n   mlx5e_close_queues+0x46/0x2a0 [mlx5_core]\n   mlx5e_close_channel+0x24/0x90 [mlx5_core]\n   mlx5e_close_channels+0x5d/0xf0 [mlx5_core]\n   mlx5e_safe_switch_params+0x2ec/0x380 [mlx5_core]\n   mlx5e_change_mtu+0x11d/0x490 [mlx5_core]\n   mlx5e_change_nic_mtu+0x19/0x30 [mlx5_core]\n   netif_set_mtu_ext+0xfc/0x240\n   do_setlink.isra.0+0x226/0x1100\n   rtnl_newlink+0x7a9/0xba0\n   rtnetlink_rcv_msg+0x220/0x3c0\n   netlink_rcv_skb+0x4b/0xf0\n   netlink_unicast+0x255/0x380\n   netlink_sendmsg+0x1f3/0x420\n   __sock_sendmsg+0x38/0x60\n   ____sys_sendmsg+0x1e8/0x240\n   ___sys_sendmsg+0x7c/0xb0\n   [...]\n   __sys_sendmsg+0x5f/0xb0\n   do_syscall_64+0x55/0xc70\n\nThe problem applies for XDP_PASS as well which is handled in a different\ncode path in the driver.\n\nThis patch fixes the issue by doing page frag counting on all the\noriginal XDP buffer fragments for all relevant XDP actions (XDP_TX ,\nXDP_REDIRECT and XDP_PASS). This is basically reverting to the original\ncounting before the commit in the fixes tag.\n\nAs frag_page is still pointing to the original tail, the nr_frags\nparameter to xdp_update_skb_frags_info() needs to be calculated\nin a different way to reflect the new nr_frags."}],"metrics":[{"cvssV3_1":{"baseScore":9.8,"baseSeverity":"CRITICAL","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","version":"3.1"}}],"providerMetadata":{"dateUpdated":"2026-05-11T06:34:53.208Z","orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux"},"references":[{"url":"https://git.kernel.org/stable/c/7d7342a18fadcdb70a63b3c930dc63528ce51832"},{"url":"https://git.kernel.org/stable/c/043bd62f748bc9fd98154037aa598cffbd3c667c"},{"url":"https://git.kernel.org/stable/c/db25c42c2e1f9c0d136420fff5e5700f7e771a6f"}],"title":"net/mlx5e: RX, Fix XDP multi-buf frag counting for striding RQ","x_generator":{"engine":"bippy-1.2.0"}}},"cveMetadata":{"assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","assignerShortName":"Linux","cveId":"CVE-2026-43465","datePublished":"2026-05-08T14:22:26.822Z","dateReserved":"2026-05-01T14:12:56.011Z","dateUpdated":"2026-05-11T06:34:53.208Z","state":"PUBLISHED"},"dataType":"CVE_RECORD","dataVersion":"5.2"},"nvd":{"publishedDate":"2026-05-08 15:16:59","lastModifiedDate":"2026-05-11 08:16:15","problem_types":[],"metrics":{"cvssMetricV31":[{"source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","baseScore":9.8,"baseSeverity":"CRITICAL","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":3.9,"impactScore":5.9}]},"configurations":[]},"legacy_mitre":{"record":{"CveYear":"2026","CveId":"43465","Ordinal":"1","Title":"net/mlx5e: RX, Fix XDP multi-buf frag counting for striding RQ","CVE":"CVE-2026-43465","Year":"2026"},"notes":[{"CveYear":"2026","CveId":"43465","Ordinal":"1","NoteData":"In the Linux kernel, the following vulnerability has been resolved:\n\nnet/mlx5e: RX, Fix XDP multi-buf frag counting for striding RQ\n\nXDP multi-buf programs can modify the layout of the XDP buffer when the\nprogram calls bpf_xdp_pull_data() or bpf_xdp_adjust_tail(). The\nreferenced commit in the fixes tag corrected the assumption in the mlx5\ndriver that the XDP buffer layout doesn't change during a program\nexecution. However, this fix introduced another issue: the dropped\nfragments still need to be counted on the driver side to avoid page\nfragment reference counting issues.\n\nThe issue was discovered by the drivers/net/xdp.py selftest,\nmore specifically the test_xdp_native_tx_mb:\n- The mlx5 driver allocates a page_pool page and initializes it with\n  a frag counter of 64 (pp_ref_count=64) and the internal frag counter\n  to 0.\n- The test sends one packet with no payload.\n- On RX (mlx5e_skb_from_cqe_mpwrq_nonlinear()), mlx5 configures the XDP\n  buffer with the packet data starting in the first fragment which is the\n  page mentioned above.\n- The XDP program runs and calls bpf_xdp_pull_data() which moves the\n  header into the linear part of the XDP buffer. As the packet doesn't\n  contain more data, the program drops the tail fragment since it no\n  longer contains any payload (pp_ref_count=63).\n- mlx5 device skips counting this fragment. Internal frag counter\n  remains 0.\n- mlx5 releases all 64 fragments of the page but page pp_ref_count is\n  63 => negative reference counting error.\n\nResulting splat during the test:\n\n  WARNING: CPU: 0 PID: 188225 at ./include/net/page_pool/helpers.h:297 mlx5e_page_release_fragmented.isra.0+0xbd/0xe0 [mlx5_core]\n  Modules linked in: [...]\n  CPU: 0 UID: 0 PID: 188225 Comm: ip Not tainted 6.18.0-rc7_for_upstream_min_debug_2025_12_08_11_44 #1 NONE\n  Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014\n  RIP: 0010:mlx5e_page_release_fragmented.isra.0+0xbd/0xe0 [mlx5_core]\n  [...]\n  Call Trace:\n   <TASK>\n   mlx5e_free_rx_mpwqe+0x20a/0x250 [mlx5_core]\n   mlx5e_dealloc_rx_mpwqe+0x37/0xb0 [mlx5_core]\n   mlx5e_free_rx_descs+0x11a/0x170 [mlx5_core]\n   mlx5e_close_rq+0x78/0xa0 [mlx5_core]\n   mlx5e_close_queues+0x46/0x2a0 [mlx5_core]\n   mlx5e_close_channel+0x24/0x90 [mlx5_core]\n   mlx5e_close_channels+0x5d/0xf0 [mlx5_core]\n   mlx5e_safe_switch_params+0x2ec/0x380 [mlx5_core]\n   mlx5e_change_mtu+0x11d/0x490 [mlx5_core]\n   mlx5e_change_nic_mtu+0x19/0x30 [mlx5_core]\n   netif_set_mtu_ext+0xfc/0x240\n   do_setlink.isra.0+0x226/0x1100\n   rtnl_newlink+0x7a9/0xba0\n   rtnetlink_rcv_msg+0x220/0x3c0\n   netlink_rcv_skb+0x4b/0xf0\n   netlink_unicast+0x255/0x380\n   netlink_sendmsg+0x1f3/0x420\n   __sock_sendmsg+0x38/0x60\n   ____sys_sendmsg+0x1e8/0x240\n   ___sys_sendmsg+0x7c/0xb0\n   [...]\n   __sys_sendmsg+0x5f/0xb0\n   do_syscall_64+0x55/0xc70\n\nThe problem applies for XDP_PASS as well which is handled in a different\ncode path in the driver.\n\nThis patch fixes the issue by doing page frag counting on all the\noriginal XDP buffer fragments for all relevant XDP actions (XDP_TX ,\nXDP_REDIRECT and XDP_PASS). This is basically reverting to the original\ncounting before the commit in the fixes tag.\n\nAs frag_page is still pointing to the original tail, the nr_frags\nparameter to xdp_update_skb_frags_info() needs to be calculated\nin a different way to reflect the new nr_frags.","Type":"Description","Title":"net/mlx5e: RX, Fix XDP multi-buf frag counting for striding RQ"}]}}}