CVE-2026-43503

In the Linux kernel, the following vulnerability has been resolved:

net: skbuff: propagate shared-frag marker through frag-transfer helpers

Two frag-transfer helpers (__pskbcopyfclone() and skbshift()) fail to propagate the SKBFLSHAREDFRAG bit in skbshinfo()->flags when moving frags from source to destination. pskbcopyfclone() defers the rest of the shinfo metadata to skbcopyheader() after copying frag descriptors, but that helper only carries over gso{size,segs, type} and never touches skbshinfo()->flags; skbshift() moves frag descriptors directly and leaves flags untouched. As a result, the destination skb keeps a reference to the same externally-owned or page-cache-backed pages while reporting skbhassharedfrag() as false.

The mismatch is harmful in any in-place writer that uses skbhassharedfrag() to decide whether shared pages must be detoured through skbcowdata(). ESP input is one such writer (esp4.c, esp6.c), and a single nft 'dup to <local>' rule -- or any other nfdupipv4() / xtTEE caller -- is enough to land a pskbcopy()'d skb in espinput() with the marker stripped, letting an unprivileged user write into the page cache of a root-owned read-only file via authencesn-ESN stray writes.

Set SKBFLSHAREDFRAG on the destination whenever frag descriptors were actually moved from the source. skbcopy() and skbcopyexpand() share skbcopyheader() too but linearize all paged data into freshly allocated head storage and emerge with nrfrags == 0, so skbhasshared_frag() returns false on its own; they need no change.

The same omission exists in skbgroreceive() and skbgroreceivelist(). The former moves the incoming skb's frag descriptors into the accumulator's last sub-skb via two paths (a direct frag-move loop and the headfrag + memcpy path); the latter chains the incoming skb whole onto p's fraglist. Downstream skbsegment() reads only skbshinfo(p)->flags, and skbsegment_list() reuses each sub-skb's shinfo as the nskb -- both p and lp must carry the marker.

The same omission also exists in tcpclonepayload(), which builds an MTU probe skb by moving frag descriptors from skbs on skwritequeue into a freshly allocated nskb. The helper falls into the same family and warrants the same fix for consistency; no TCP TX-side in-place writer is currently known to reach a user page through this gap, but a future consumer depending on the marker would regress silently.

The same omission exists in skbsegment(): the per-iteration flag merge takes only headskb's flag, and the inner switch that rebinds fragskb to listskb on headskb-frags exhaustion does not fold the new fragskb's flag into nskb. Fold fragskb's flag at both sites so segments drawing frags from fraglist members carry the marker.