02.06.2026
Kunbus-2026-0000006: "Dirty Frag"/"Copy Fail 2 : Electric Boogaloo"
TLP: GREEN
| Publisher: KUNBUS PSIRT | Document category: csaf_vex |
| Initial release date: 2026-06-02T13:21:24.900910333Z | Engine: csaf-cms-backend 1.0.0 |
| Current release date: 2026-06-02T13:21:24.900910333Z | Build Date: 2026-06-02T13:13:01.800Z |
| Current version: 1.0.0 | Status: final |
| CVSSv3.1 Base Score: 8.8 | Severity: |
| Original language: | Language: en-US |
| Also referred to: | |
Vulnerabilities
(CVE-2026-43284)
DescriptionIn the Linux kernel, the following vulnerability has been resolved: xfrm: esp: avoid in-place decrypt on shared skb frags MSG_SPLICE_PAGES can attach pages from a pipe directly to an skb. TCP marks such skbs with SKBFL_SHARED_FRAG after skb_splice_from_iter(), so later paths that may modify packet data can first make a private copy. The IPv4/IPv6 datagram append paths did not set this flag when splicing pages into UDP skbs. That leaves an ESP-in-UDP packet made from shared pipe pages looking like an ordinary uncloned nonlinear skb. ESP input then takes the no-COW fast path for uncloned skbs without a frag_list and decrypts in place over data that is not owned privately by the skb. Mark IPv4/IPv6 datagram splice frags with SKBFL_SHARED_FRAG, matching TCP. Also make ESP input fall back to skb_cow_data() when the flag is present, so ESP does not decrypt externally backed frags in place. Private nonlinear skb frags still use the existing fast path. This intentionally does not change ESP output. In esp_output_head(), the path that appends the ESP trailer to existing skb tailroom without calling skb_cow_data() is not reachable for nonlinear skbs: skb_tailroom() returns zero when skb->data_len is nonzero, while ESP tailen is positive. Thus ESP output will either use the separate destination-frag path or fall back to skb_cow_data().
| CWE: | CWE-123:Write-what-where Condition |
|---|
Product status
Known affected
| Product | CVSS-Vector | CVSS Base Score |
|---|---|---|
| KUNBUS Revolution Pi Revolution Pi OS Bookworm <= (03/2026) | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H | 8.8 |
| KUNBUS Revolution Pi Revolution Pi OS Bullseye | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H | 8.8 |
| KUNBUS Revolution Pi linux-image-revpi-v8 <= 6.12.85-revpi0-rpi-v8 |
Fixed
- KUNBUS Revolution Pi linux-image-revpi-v8 6.12.87-revpi0-rpi-v8
Remediations
Vendor fix (2026-06-02T10:00:00.000Z)
Update Kernel Package to at least version 6.12.87
For products:
- KUNBUS Revolution Pi Revolution Pi OS Bookworm <= (03/2026)
- KUNBUS Revolution Pi linux-image-revpi-v8 <= 6.12.85-revpi0-rpi-v8
Workaround (2026-06-02T10:00:00.000Z)
Disable esp kernel modules. sudo sh -c "printf 'install esp4 /bin/false\ninstall esp6 /bin/false\ninstall rxrpc /bin/false\n' > /etc/modprobe.d/dirtyfrag.conf; rmmod esp4 esp6 rxrpc 2>/dev/null; echo 3 > /proc/sys/vm/drop_caches; true"
For products:
- KUNBUS Revolution Pi Revolution Pi OS Bookworm <= (03/2026)
- KUNBUS Revolution Pi Revolution Pi OS Bullseye
- KUNBUS Revolution Pi linux-image-revpi-v8 <= 6.12.85-revpi0-rpi-v8
References
- National Vulnerability Database (external): https://nvd.nist.gov/vuln/detail/CVE-2026-43284
(CVE-2026-43500)
Description
In the Linux kernel, the following vulnerability has been resolved: rxrpc: Also unshare DATA/RESPONSE packets when paged frags are present The DATA-packet handler in rxrpc_input_call_event() and the RESPONSE handler in rxrpc_verify_response() copy the skb to a linear one before calling into the security ops only when skb_cloned() is true. An skb that is not cloned but still carries externally-owned paged fragments (e.g. SKBFL_SHARED_FRAG set by splice() into a UDP socket via __ip_append_data, or a chained skb_has_frag_list()) falls through to the in-place decryption path, which binds the frag pages directly into the AEAD/skcipher SGL via skb_to_sgvec(). Extend the gate to also unshare when skb_has_frag_list() or skb_has_shared_frag() is true. This catches the splice-loopback vector and other externally-shared frag sources while preserving the zero-copy fast path for skbs whose frags are kernel-private (e.g. NIC page_pool RX, GRO). The OOM/trace handling already in place is reused.
| CWE: | CWE-787:Out-of-bounds Write |
|---|
Product status
Known not affected
- KUNBUS Revolution Pi Revolution Pi OS Bookworm <= (03/2026)
- KUNBUS Revolution Pi Revolution Pi OS Bullseye
References
- National Vulnerability Database (external): https://nvd.nist.gov/vuln/detail/CVE-2026-43500
KUNBUS PSIRT
- National Vulnerability Database (external): https://nvd.nist.gov/vuln/detail/CVE-2026-43500
KUNBUS PSIRT
Namespace: https://www.kunbus.com
product-security@kunbus.com
KUNBUS GmbH develops and produces the Revolution Pi Family, Revolution Pi OS and the extension modules for RevPi amongst others. KUNBUS PSIRT is responsible for vulnerability handling across all KUNBUS products and services.
References
- URL generated by system (self): https://psirt.kunbus.com/green/2026/kunbus-2026-0000006.json
Revision history
| Version | Date of the revision | Summary of the revision |
|---|---|---|
| 1.0.0 | 2026-06-02T13:21:24.900910333Z | Initial Publication |
Sharing rules
TLP:GREEN
For the TLP version see: https://www.first.org/tlp/
Legal Disclaimer
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. KUNBUS RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME.