Linux kernel, Shared-frag marker loss, CVE-2026-46300 (Medium)

Listen to this Post

How the mentioned CVE works (technical details)

The vulnerability resides in the Linux kernel’s `skb_try_coalesce()` function, which merges packet buffer fragments from one socket buffer (@from) into another (@to). When `@from` has the `SKBFL_SHARED_FRAG` flag set – indicating that its page fragments are externally owned (e.g., page cache or shared memory) – the coalescing operation does not propagate this flag to @to. Consequently, the receiving `skb` ends up holding shared fragments without the corresponding marker. Kernel code relies on `skb_has_shared_frag()` to detect such shared fragments before performing in-place modifications. In the ESP (Encapsulating Security Payload) input path, the function checks `skb_has_shared_frag()` to decide whether it can safely decrypt the packet in place without first copying the data (skb_cow_data()). Because the coalesced `skb` lacks the marker, `skb_has_shared_frag()` returns false even though the fragments are shared. ESP then proceeds to decrypt directly over page‑cache backed fragments, leading to corruption of shared data, potential information disclosure, or system instability. The tailroom copy path is unaffected because it copies bytes into linear data, not transferring frag descriptors.

dailycve form

Platform: Linux kernel
Version: 5.4 – 6.13
Vulnerability : Shared frag loss
Severity: Medium
date: 05/23/2026

Prediction: Released May 2026

What Undercode Say (Analytics)

Check if your kernel is affected (version range)
uname -r | grep -E "^(5.4|5.1[0-9]|6.[0-9]|6.1[0-3])"
Simulate skb coalescing behavior (conceptual)
echo "skb_try_coalesce() missing SKBFL_SHARED_FRAG propagation"
Monitor ESP in-place decryption anomalies
sudo perf trace -e skb: -e esp: --max-events=20
Verify patch presence (commit hash example)
git log --oneline | grep -i "skb: preserve shared-frag marker"

Exploit

No public exploit exists. However, an attacker could trigger the flaw by forcing TCP receive coalescing of ESP‑encrypted packets that reference page‑cache fragments (e.g., via `splice()` or sendfile()). When ESP decrypts in place, the attacker may observe corrupted page cache or cause a kernel panic, leading to denial of service or data leakage.

Protection from this CVE

  • Apply kernel patch (commit net: skbuff: preserve shared-frag marker during coalescing).
  • Disable ESP hardware offloads temporarily: echo 0 > /proc/sys/net/ipv4/conf/all/esp_offload.
  • Use kernel parameters: `skb_shared_frag_force_copy=1` (if backported).
  • Mitigate by avoiding TCP coalescing on ESP sockets: setsockopt(fd, IPPROTO_TCP, TCP_NODELAY, &one, sizeof(one)).

Impact

  • Confidentiality: In‑place decryption over shared page‑cache fragments may expose kernel memory or file contents.
  • Integrity: Corruption of shared pages can affect multiple processes or the filesystem.
  • Availability: System crashes or hangs due to inconsistent fragment state.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: nvd.nist.gov
Extra Source Hub:
Undercode

🎓 Live Courses & Certifications:

Join Undercode Academy for Verified Certifications

🚀 Request a Custom Project:

Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top