net: skbuff: preserve shared-frag marker during coalescing_CVE-2026-46300

7.8 / 10

HIGH

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Description

In the Linux kernel, the following vulnerability has been resolved:

net: skbuff: preserve shared-frag marker during coalescing

skb_try_coalesce() can attach paged frags from @from to @to. If @from
has SKBFL_SHARED_FRAG set, the resulting @to skb can contain the same
externally-owned or page-cache-backed frags, but the shared-frag marker
is currently lost.

That breaks the invariant relied on by later in-place writers. In
particular, ESP input checks skb_has_shared_frag() before deciding
whether an uncloned nonlinear skb can skip skb_cow_data(). If TCP
receive coalescing has moved shared frags into an unmarked skb, ESP can
see skb_has_shared_frag() as false and decrypt in place over page-cache
backed frags.

Propagate SKBFL_SHARED_FRAG when skb_try_coalesce() transfers paged
frags. The tailroom copy path does not need the marker because it copies
bytes into @to's linear data rather than transferring frag descriptors.

Basic Information

ID CVE-2026-46300

Source Linux

Published May 23, 2026 at 11:44

Modified May 30, 2026 at 10:49

Affected Product

Vendor Linux

Product Linux

Version cef401de7be8c4e155c6746bfccf721a4fa5fab9

Affected Versions Linux Linux cef401de7be8c4e155c6746bfccf721a4fa5fab9
Linux Linux cef401de7be8c4e155c6746bfccf721a4fa5fab9
Linux Linux cef401de7be8c4e155c6746bfccf721a4fa5fab9
Linux Linux cef401de7be8c4e155c6746bfccf721a4fa5fab9
Linux Linux cef401de7be8c4e155c6746bfccf721a4fa5fab9
Linux Linux cef401de7be8c4e155c6746bfccf721a4fa5fab9
Linux Linux cef401de7be8c4e155c6746bfccf721a4fa5fab9
Linux Linux cef401de7be8c4e155c6746bfccf721a4fa5fab9
Linux Linux 3.9

References

{
    "lastseen": "",
    "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: skbuff: preserve shared-frag marker during coalescing\n\nskb_try_coalesce() can attach paged frags from @from to @to.  If @from\nhas SKBFL_SHARED_FRAG set, the resulting @to skb can contain the same\nexternally-owned or page-cache-backed frags, but the shared-frag marker\nis currently lost.\n\nThat breaks the invariant relied on by later in-place writers.  In\nparticular, ESP input checks skb_has_shared_frag() before deciding\nwhether an uncloned nonlinear skb can skip skb_cow_data().  If TCP\nreceive coalescing has moved shared frags into an unmarked skb, ESP can\nsee skb_has_shared_frag() as false and decrypt in place over page-cache\nbacked frags.\n\nPropagate SKBFL_SHARED_FRAG when skb_try_coalesce() transfers paged\nfrags.  The tailroom copy path does not need the marker because it copies\nbytes into @to's linear data rather than transferring frag descriptors.",
    "published": "2026-05-23T11:44:02.231Z",
    "modified": "2026-05-30T10:49:36.824Z",
    "type": "cve",
    "title": "net: skbuff: preserve shared-frag marker during coalescing",
    "source": "Linux",
    "references": "https://git.kernel.org/stable/c/3599e6b3cc1ada96883d496a50a210d3afbb6987\nhttps://git.kernel.org/stable/c/2f2b16022a2e10ca7bccfb98db5ed2ec0f72641c\nhttps://git.kernel.org/stable/c/9d3e5fd19fe1063bf607219e8562fbd567b8e8d5\nhttps://git.kernel.org/stable/c/78bf6b6bb19541d19fbda6242e7cfe2c682763c0\nhttps://git.kernel.org/stable/c/760e1addc27ba1a7beb4a0a7e8b3e9ec49e7a34e\nhttps://git.kernel.org/stable/c/3bd9e113d50034db99d7ef69fd8e5242d15e414a\nhttps://git.kernel.org/stable/c/3884358a9286b17f389a72b1426fc4547c23c111\nhttps://git.kernel.org/stable/c/f84eca5817390257cef78013d0112481c503b4a3",
    "id": "CVE-2026-46300",
    "bulletinFamily": "",
    "cwe": null,
    "cvelist": null,
    "sourceData": "Linux Linux cef401de7be8c4e155c6746bfccf721a4fa5fab9\nLinux Linux cef401de7be8c4e155c6746bfccf721a4fa5fab9\nLinux Linux cef401de7be8c4e155c6746bfccf721a4fa5fab9\nLinux Linux cef401de7be8c4e155c6746bfccf721a4fa5fab9\nLinux Linux cef401de7be8c4e155c6746bfccf721a4fa5fab9\nLinux Linux cef401de7be8c4e155c6746bfccf721a4fa5fab9\nLinux Linux cef401de7be8c4e155c6746bfccf721a4fa5fab9\nLinux Linux cef401de7be8c4e155c6746bfccf721a4fa5fab9\nLinux Linux 3.9",
    "sourceHref": "",
    "cvss": {
        "score": 7.8,
        "severity": "HIGH",
        "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "Linux",
    "version": "cef401de7be8c4e155c6746bfccf721a4fa5fab9",
    "vendor": "Linux",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Description

Basic Information

Affected Product

References

💭 Join the Security Discussion ❌ Cancel Reply