CVE-2026-43503
Severity CVSS v4.0:
Pending analysis
Type:
Unavailable / Other
Publication date:
23/05/2026
Last modified:
02/07/2026
Description
In the Linux kernel, the following vulnerability has been resolved:<br />
<br />
net: skbuff: propagate shared-frag marker through frag-transfer helpers<br />
<br />
Two frag-transfer helpers (__pskb_copy_fclone() and skb_shift()) fail<br />
to propagate the SKBFL_SHARED_FRAG bit in skb_shinfo()->flags when<br />
moving frags from source to destination. __pskb_copy_fclone() defers<br />
the rest of the shinfo metadata to skb_copy_header() after copying<br />
frag descriptors, but that helper only carries over gso_{size,segs,<br />
type} and never touches skb_shinfo()->flags; skb_shift() moves frag<br />
descriptors directly and leaves flags untouched. As a result, the<br />
destination skb keeps a reference to the same externally-owned or<br />
page-cache-backed pages while reporting skb_has_shared_frag() as<br />
false.<br />
<br />
The mismatch is harmful in any in-place writer that uses<br />
skb_has_shared_frag() to decide whether shared pages must be detoured<br />
through skb_cow_data(). ESP input is one such writer (esp4.c,<br />
esp6.c), and a single nft &#39;dup to &#39; rule -- or any other<br />
nf_dup_ipv4() / xt_TEE caller -- is enough to land a pskb_copy()&#39;d<br />
skb in esp_input() with the marker stripped, letting an unprivileged<br />
user write into the page cache of a root-owned read-only file via<br />
authencesn-ESN stray writes.<br />
<br />
Set SKBFL_SHARED_FRAG on the destination whenever frag descriptors<br />
were actually moved from the source. skb_copy() and skb_copy_expand()<br />
share skb_copy_header() too but linearize all paged data into freshly<br />
allocated head storage and emerge with nr_frags == 0, so<br />
skb_has_shared_frag() returns false on its own; they need no change.<br />
<br />
The same omission exists in skb_gro_receive() and skb_gro_receive_list().<br />
The former moves the incoming skb&#39;s frag descriptors into the<br />
accumulator&#39;s last sub-skb via two paths (a direct frag-move loop and<br />
the head_frag + memcpy path); the latter chains the incoming skb whole<br />
onto p&#39;s frag_list. Downstream skb_segment() reads only<br />
skb_shinfo(p)->flags, and skb_segment_list() reuses each sub-skb&#39;s<br />
shinfo as the nskb -- both p and lp must carry the marker.<br />
<br />
The same omission also exists in tcp_clone_payload(), which builds an<br />
MTU probe skb by moving frag descriptors from skbs on sk_write_queue<br />
into a freshly allocated nskb. The helper falls into the same family<br />
and warrants the same fix for consistency; no TCP TX-side in-place<br />
writer is currently known to reach a user page through this gap, but<br />
a future consumer depending on the marker would regress silently.<br />
<br />
The same omission exists in skb_segment(): the per-iteration flag<br />
merge takes only head_skb&#39;s flag, and the inner switch that rebinds<br />
frag_skb to list_skb on head_skb-frags exhaustion does not fold the<br />
new frag_skb&#39;s flag into nskb. Fold frag_skb&#39;s flag at both sites<br />
so segments drawing frags from frag_list members carry the marker.
Impact
Base Score 3.x
8.80
Severity 3.x
HIGH
Vulnerable products and versions
| CPE | From | Up to |
|---|---|---|
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 3.9 (including) | 5.10.257 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 5.11 (including) | 5.15.208 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 5.16 (including) | 6.1.174 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 6.2 (including) | 6.6.141 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 6.7 (including) | 6.12.91 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 6.13 (including) | 6.18.33 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 6.19 (including) | 7.0.10 (excluding) |
| cpe:2.3:o:linux:linux_kernel:7.1:rc1:*:*:*:*:*:* | ||
| cpe:2.3:o:linux:linux_kernel:7.1:rc2:*:*:*:*:*:* | ||
| cpe:2.3:o:linux:linux_kernel:7.1:rc3:*:*:*:*:*:* | ||
| cpe:2.3:o:linux:linux_kernel:7.1:rc4:*:*:*:*:*:* |
To consult the complete list of CPE names with products and versions, see this page
References to Advisories, Solutions, and Tools
- https://git.kernel.org/stable/c/12401fcfb01f53ccc63ab0a3246570fe8f3105ee
- https://git.kernel.org/stable/c/179f1852bdedc300e373e807cc102cd81feff196
- https://git.kernel.org/stable/c/48f6a5356a33dd78e7144ae1faef95ffc990aae0
- https://git.kernel.org/stable/c/989214c66884d70716d83dc1d0bf5e16287bf349
- https://git.kernel.org/stable/c/9bc9d6d6967a2239aa57af2aa53554eddd640d20
- https://git.kernel.org/stable/c/fbeab9555564a1b98e8582cd106dfe46c4606991
- https://git.kernel.org/stable/c/fc6eb39c55e97df2f94ad974b8a5bbcd019da2c8
- https://git.kernel.org/stable/c/ff375cc75f9167168db38e0464a482d5fbc8d81d
- https://access.redhat.com/errata/RHSA-2026:19521
- https://access.redhat.com/errata/RHSA-2026:19540
- https://access.redhat.com/errata/RHSA-2026:19568
- https://access.redhat.com/errata/RHSA-2026:19569
- https://access.redhat.com/errata/RHSA-2026:19664
- https://access.redhat.com/errata/RHSA-2026:19666
- https://access.redhat.com/errata/RHSA-2026:19705
- https://access.redhat.com/errata/RHSA-2026:19711
- https://access.redhat.com/errata/RHSA-2026:19875
- https://access.redhat.com/errata/RHSA-2026:20051
- https://access.redhat.com/errata/RHSA-2026:20054
- https://access.redhat.com/errata/RHSA-2026:20087
- https://access.redhat.com/errata/RHSA-2026:20129
- https://access.redhat.com/errata/RHSA-2026:20130
- https://access.redhat.com/errata/RHSA-2026:20299
- https://access.redhat.com/errata/RHSA-2026:20593
- https://access.redhat.com/errata/RHSA-2026:21656
- https://access.redhat.com/errata/RHSA-2026:21690
- https://access.redhat.com/errata/RHSA-2026:21695
- https://access.redhat.com/errata/RHSA-2026:21702
- https://access.redhat.com/errata/RHSA-2026:23233
- https://access.redhat.com/errata/RHSA-2026:23240
- https://access.redhat.com/errata/RHSA-2026:23245
- https://access.redhat.com/errata/RHSA-2026:23468
- https://access.redhat.com/errata/RHSA-2026:23469
- https://access.redhat.com/errata/RHSA-2026:23470
- https://access.redhat.com/errata/RHSA-2026:23471
- https://access.redhat.com/errata/RHSA-2026:24814
- https://access.redhat.com/errata/RHSA-2026:25044
- https://access.redhat.com/errata/RHSA-2026:33486
- https://access.redhat.com/security/cve/CVE-2026-43503
- https://bugzilla.redhat.com/show_bug.cgi?id=2480902
- https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-43503.json



