Hot patch solution for CVE-2026-43284

更新时间:
复制 MD 格式

This topic describes the hot patch solution for CVE-2026-43284 on Alibaba Cloud Linux to help you safely perform online remediation and phased rollout in production environments.

Warning
  1. Applying a hot patch changes the kernel's execution path and may introduce stability risks in complex production environments. You must strictly follow a phased deployment strategy, rolling out the patch in batches. Do not apply it to your entire production environment at once. During the phased deployment, closely monitor service stability, error logs, and performance metrics. Gradually expand the deployment scope only after confirming that there are no anomalies. If you encounter any issues, perform a rollback immediately.

  2. This hot patch solution applies only to the Alibaba Cloud Linux operating system.

Background

CVE-2026-43284 is a high-risk local privilege escalation vulnerability in the Linux kernel's implementation of the IPsec Encapsulating Security Payload (ESP) protocol.

This vulnerability is caused by the kernel's failure to correctly validate the writable attribute of memory pages when processing unaligned encrypted data fragments (Frags). An attacker can craft specific IPsec policies and socket operations to trick the kernel into writing decrypted data into the page cache of a protected file. By precisely controlling the write location, an attacker can modify system configurations or in-memory copies of privileged binaries without direct file write permissions, leading to privilege escalation from a standard user to root. For more details, see the [Security Bulletin] Linux Kernel "Dirty Frag" Local Privilege Escalation Vulnerability Risk Notice.

Solution

This solution builds a hot patch module from the official upstream patch and uses the kernel livepatch feature to dynamically redirect kernel function paths and correct the logic for handling shared pages within the ESP protocol stack.

The core of the fix is to redirect the vulnerable in-place decryption path to a secure copy-on-write model, which enables an online fix without service interruptions or a system reboot.

Important

The hot patch solution intercepts the zero-copy decryption path in some scenarios, redirecting in-place decryption to a memory copy mode. Consequently, for high-bandwidth IPsec services, this may increase CPU usage and decrease network throughput. Closely monitor business performance metrics and system load. Furthermore, in specific scenarios where the function to be patched is on a hot path, the hot patch may fail to load automatically, leaving the system vulnerable. If this occurs, manually load the hot patch and verify that it is enabled.

Supported products and versions

Product

Kernel version

Architecture

Alibaba Cloud Linux 3

5.10.134-19.3.1.al8 and earlier

x86_64 / aarch64

Alibaba Cloud Linux 4

6.6.102-5.4.1.alnx4 and earlier

x86_64

Important

The hot patch solution is currently not available for Alibaba Cloud Linux 4 on the aarch64 architecture. We recommend that you upgrade the kernel version instead.

Procedure

Step 1: Check prerequisites

Verify that kernel livepatch support is enabled. It is enabled by default.

# Check if livepatch is enabled
test -d /sys/kernel/livepatch && echo "livepatch sysfs OK"

Step 2: Install the RPM package

# Check your current kernel version
uname -r
# Search for available hot patch packages
yum search kernel-hotfix-27289074
# Install the RPM package that matches your kernel version
sudo yum install kernel-hotfix-27289074-<kernel-version>
Important

If you change your kernel version, you must install the corresponding hot patch package.

Step 3: Verify the patch status

# Check the hot patch loading status
kpatch list

Expected output: The Loaded patch modules section contains kpatch_27289074 [enabled].

Rollback

If you encounter any issues, uninstall the package to roll back:

sudo yum remove kernel-hotfix-27289074-*

To verify the rollback:

kpatch list

Expected output: The output no longer contains kpatch_27289074 [enabled].

FAQ

What do I do if the hot patch fails to load?

The hot patch typically loads automatically during RPM package installation and takes effect automatically after a system reboot.

In some cases, for example, when the target function is on a hot path, the hot patch may fail to load automatically. You can load it manually:

kpatch load kpatch_27289074
kpatch list

The hot patch is loaded successfully when the output includes kpatch_27289074 [enabled].