module
rxkad Page-Cache Write via CVE-2026-43500
| Disclosed |
|---|
| May 8, 2026 |
Disclosed
May 8, 2026
Description
CVE-2026-43500 exploits a memory-corruption vulnerability in the Linux kernel's RxRPC
authentication subsystem (rxkad). When a crafted DATA packet is delivered to an AF_RXRPC
socket configured with an attacker-controlled rxkad session key, the kernel's
rxkad_verify_packet_1() function performs an in-place 8-byte pcbc(fcrypt) decryption
directly on the page-cache page referenced by the splice offset. Because the decryption
mutates the page in-place without marking it dirty, the corrupted in-memory view is
immediately visible to all processes reading from the page cache. This allows a local
attacker to corrupt the in-memory contents of a SUID binary and escalate privileges to root.
authentication subsystem (rxkad). When a crafted DATA packet is delivered to an AF_RXRPC
socket configured with an attacker-controlled rxkad session key, the kernel's
rxkad_verify_packet_1() function performs an in-place 8-byte pcbc(fcrypt) decryption
directly on the page-cache page referenced by the splice offset. Because the decryption
mutates the page in-place without marking it dirty, the corrupted in-memory view is
immediately visible to all processes reading from the page cache. This allows a local
attacker to corrupt the in-memory contents of a SUID binary and escalate privileges to root.
Rapid7 Labs
2026 Global Threat Landscape Report
The predictive window has collapsed. Exploitation follows disclosure in days. See how attackers are accelerating and how to stay ahead.