Listen to this Post
How the mentioned CVE works (technical details)
The vulnerability resides in the Linux kernel’s `skb_try_coalesce()` function, which merges packet buffer fragments from one socket buffer (@from) into another (@to). When `@from` has the `SKBFL_SHARED_FRAG` flag set – indicating that its page fragments are externally owned (e.g., page cache or shared memory) – the coalescing operation does not propagate this flag to @to. Consequently, the receiving `skb` ends up holding shared fragments without the corresponding marker. Kernel code relies on `skb_has_shared_frag()` to detect such shared fragments before performing in-place modifications. In the ESP (Encapsulating Security Payload) input path, the function checks `skb_has_shared_frag()` to decide whether it can safely decrypt the packet in place without first copying the data (skb_cow_data()). Because the coalesced `skb` lacks the marker, `skb_has_shared_frag()` returns false even though the fragments are shared. ESP then proceeds to decrypt directly over page‑cache backed fragments, leading to corruption of shared data, potential information disclosure, or system instability. The tailroom copy path is unaffected because it copies bytes into linear data, not transferring frag descriptors.
dailycve form
Platform: Linux kernel
Version: 5.4 – 6.13
Vulnerability : Shared frag loss
Severity: Medium
date: 05/23/2026
Prediction: Released May 2026
What Undercode Say (Analytics)
Check if your kernel is affected (version range) uname -r | grep -E "^(5.4|5.1[0-9]|6.[0-9]|6.1[0-3])" Simulate skb coalescing behavior (conceptual) echo "skb_try_coalesce() missing SKBFL_SHARED_FRAG propagation" Monitor ESP in-place decryption anomalies sudo perf trace -e skb: -e esp: --max-events=20 Verify patch presence (commit hash example) git log --oneline | grep -i "skb: preserve shared-frag marker"
Exploit
No public exploit exists. However, an attacker could trigger the flaw by forcing TCP receive coalescing of ESP‑encrypted packets that reference page‑cache fragments (e.g., via `splice()` or sendfile()). When ESP decrypts in place, the attacker may observe corrupted page cache or cause a kernel panic, leading to denial of service or data leakage.
Protection from this CVE
- Apply kernel patch (commit
net: skbuff: preserve shared-frag marker during coalescing). - Disable ESP hardware offloads temporarily:
echo 0 > /proc/sys/net/ipv4/conf/all/esp_offload. - Use kernel parameters: `skb_shared_frag_force_copy=1` (if backported).
- Mitigate by avoiding TCP coalescing on ESP sockets:
setsockopt(fd, IPPROTO_TCP, TCP_NODELAY, &one, sizeof(one)).
Impact
- Confidentiality: In‑place decryption over shared page‑cache fragments may expose kernel memory or file contents.
- Integrity: Corruption of shared pages can affect multiple processes or the filesystem.
- Availability: System crashes or hangs due to inconsistent fragment state.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: nvd.nist.gov
Extra Source Hub:
Undercode
🎓 Live Courses & Certifications:
Join Undercode Academy for Verified Certifications
🚀 Request a Custom Project:
Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]

