From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 1EB2031ED81 for ; Fri, 8 May 2026 10:52:53 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1778237574; cv=none; b=KR2HXbHUlWHEGRdQTlTwyRXpO0JPbnf3jSBlgzFhlHICo73VOtQLeaQrWiypfC/7B5IJMF+M9U/EOXdB13HxVUtNnj9sSanZZVBJnEBbnFmo5T4zlTp8HKTEh9Jghcucnw8EQ5hU644hcpYk/yYr1McvWGebWVk6Gy/trJYesqE= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1778237574; c=relaxed/simple; bh=N6XU2JJZTDXbOeWvkJMLV0capt+4kmMPBN7esaQyiiQ=; h=Date:From:To:Cc:Subject:Message-ID:References:MIME-Version: Content-Type:Content-Disposition:In-Reply-To; b=iSZWRQgvIkeQvGxbZDEQ7Il0Vz3wsHWRAnMxV32VNaaI1qkLgHcraYf1F+QpnTfVJLiUCUshq4xAk0C4HENteox29MreINsxEp7LtV4MqBpP2H3INgsWwONaMTheKX1Dr+kLTGiUYXqjHTTdWQrE3IROkJ+aMtsaOKHThBx6D3M= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=C1eDQUg0; arc=none smtp.client-ip=10.30.226.201 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="C1eDQUg0" Received: by smtp.kernel.org (Postfix) with ESMTPSA id 7CB3DC2BCB0; Fri, 8 May 2026 10:52:53 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1778237573; bh=N6XU2JJZTDXbOeWvkJMLV0capt+4kmMPBN7esaQyiiQ=; h=Date:From:To:Cc:Subject:References:In-Reply-To:From; b=C1eDQUg0mpQVM62GKSld2D1L235HA7R8fBRcW8F5MGiG27KK0YlQRmqLM+5OlV2OB jjUcwth/Ha1CdYaBJHAVfsq3JTngdOnxUTAsUpdv2nb97fq5okYM1XytjQ56RVxsXZ DzaNr/lLO6izDGlfap6JgZzWRXp1umNmq/pS/GXKq8jjtvo565cm7AHOPIFTjGL++5 zdHRVjB/jCYvE6g6DZXFubhhbKyDx5AdQX7BR7JmuioNK2zpwpDLXcMefbJJvLOScx kvMFallXxiOstCc7nZUGVqIDeICE+aRTM58ujXbrzMRFSQv3bLkiUsyKxj+Kq3z1FT hpMMizt60az6Q== Date: Fri, 8 May 2026 12:52:49 +0200 From: Greg Kroah-Hartman To: Massimiliano Pellizzer Cc: cve@kernel.org, linux-kernel@vger.kernel.org Subject: Re: CVE-2026-43284: xfrm: esp: avoid in-place decrypt on shared skb frags Message-ID: <2026050827-smudge-sleet-17c0@gregkh> References: <2026050856-CVE-2026-43284-6598@gregkh> <2026050832-size-scribing-666b@gregkh> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: <2026050832-size-scribing-666b@gregkh> On Fri, May 08, 2026 at 12:09:58PM +0200, Greg Kroah-Hartman wrote: > On Fri, May 08, 2026 at 10:57:05AM +0200, Massimiliano Pellizzer wrote: > > On Fri, May 8, 2026 at 9:24 AM Greg Kroah-Hartman > > I tested the publicly available exploit against the stable kernel 5.15.204. > > That stable branch is affected too. > > > > ``` > > $ ./run.sh > > === Stage 1 — overwrite 'systemd-timesync' line (89 bytes) with > > 'sick::0:0::/:/bin/bash' > > === Stage 2 — verify > > sick::0:0:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX:/:/bin/bash > > === Stage 3 — su - sick (empty password via PAM nullok) > > [i] state saved to /var/tmp/.cf2.state — run './run.sh --clean' to revert > > # whoami > > root > > # uname -r > > 5.15.204 > > ``` > > > > Yes, patches for that are being worked on right now, give me a chance to > get some lunch :) Updates are now out for the other supported stable versions, and the CVE entry is updated on cve.org. thanks, greg k-h