Write-what-where Condition Affecting torvalds/linux package, versions [0,7.1-rc3)
Threat Intelligence
Snyk has reported that there have been attempts or successful attacks targeting this vulnerability.
The probability is the direct output of the EPSS model, and conveys an overall sense of the threat of exploitation in the wild. The percentile measures the EPSS probability relative to all known EPSS scores. Note: This data is updated daily, relying on the latest available EPSS model version. Check out the EPSS documentation for more details.
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk IDSNYK-UNMANAGED-TORVALDSLINUX-16535533
- published8 May 2026
- disclosed8 May 2026
- creditV4bel
Introduced: 8 May 2026
NewCVE-2026-43500 (opens in a new tab)How to fix?
Upgrade torvalds/linux to version 7.1-rc3 or higher.
Overview
Affected versions of this package are vulnerable to Write-what-where Condition collectively knows as the "RxRPC Page-Cache Write" vulnerability, part of the "Dirty Frag" chain and that acts as a strategic bypass mechanism to achieve root access on systems where the primary exploit fails. According to the documentation, the main vulnerability (xfrm-ESP) requires the ability to create unprivileged user namespaces. However, distributions like Ubuntu often block this via AppArmor policies. The RxRPC variant solves this because it does not require namespace creation privileges. Instead, it only requires the rxrpc.ko kernel module to be loaded (which is the default behavior on Ubuntu). By chaining this RxRPC vulnerability, the exploit covers the blind spots of the xfrm-ESP method, ensuring reliable page-cache manipulation and universal privilege escalation across all major Linux distributions.