CVE-2026-46300
- Source
- https://cve.org/CVERecord?id=CVE-2026-46300
- Import Source
- https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-46300.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/CVE-2026-46300
- Downstream
- Related
- Published
- 2026-05-23T11:44:02.231Z
- Modified
- 2026-06-18T03:54:41.916063137Z
- Severity
-
- 7.8 (High) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
- Summary
- net: skbuff: preserve shared-frag marker during coalescing
- Details
-
In the Linux kernel, the following vulnerability has been resolved:
net: skbuff: preserve shared-frag marker during coalescing
skbtrycoalesce() can attach paged frags from @from to @to. If @from has SKBFLSHAREDFRAG set, the resulting @to skb can contain the same externally-owned or page-cache-backed frags, but the shared-frag marker is currently lost.
That breaks the invariant relied on by later in-place writers. In particular, ESP input checks skbhassharedfrag() before deciding whether an uncloned nonlinear skb can skip skbcowdata(). If TCP receive coalescing has moved shared frags into an unmarked skb, ESP can see skbhassharedfrag() as false and decrypt in place over page-cache backed frags.
Propagate SKBFLSHAREDFRAG when skbtrycoalesce() transfers paged frags. The tailroom copy path does not need the marker because it copies bytes into @to's linear data rather than transferring frag descriptors.
- Database specific
{ "cna_assigner": "Linux", "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/46xxx/CVE-2026-46300.json" }- References
-
- http://www.openwall.com/lists/oss-security/2026/05/13/5
- http://www.openwall.com/lists/oss-security/2026/05/21/11
- http://www.openwall.com/lists/oss-security/2026/05/21/12
- http://www.openwall.com/lists/oss-security/2026/05/21/13
- https://git.kernel.org/stable/c/2f2b16022a2e10ca7bccfb98db5ed2ec0f72641c
- https://git.kernel.org/stable/c/3599e6b3cc1ada96883d496a50a210d3afbb6987
- https://git.kernel.org/stable/c/3884358a9286b17f389a72b1426fc4547c23c111
- https://git.kernel.org/stable/c/3bd9e113d50034db99d7ef69fd8e5242d15e414a
- https://git.kernel.org/stable/c/760e1addc27ba1a7beb4a0a7e8b3e9ec49e7a34e
- https://git.kernel.org/stable/c/78bf6b6bb19541d19fbda6242e7cfe2c682763c0
- https://git.kernel.org/stable/c/9d3e5fd19fe1063bf607219e8562fbd567b8e8d5
- https://git.kernel.org/stable/c/f84eca5817390257cef78013d0112481c503b4a3
- https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/46xxx/CVE-2026-46300.json
- https://nvd.nist.gov/vuln/detail/CVE-2026-46300
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Affected packages
Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Affected ranges
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introducedcef401de7be8c4e155c6746bfccf721a4fa5fab9Fixed3599e6b3cc1ada96883d496a50a210d3afbb6987Fixed2f2b16022a2e10ca7bccfb98db5ed2ec0f72641cFixed9d3e5fd19fe1063bf607219e8562fbd567b8e8d5Fixed78bf6b6bb19541d19fbda6242e7cfe2c682763c0Fixed760e1addc27ba1a7beb4a0a7e8b3e9ec49e7a34eFixed3bd9e113d50034db99d7ef69fd8e5242d15e414aFixed3884358a9286b17f389a72b1426fc4547c23c111Fixedf84eca5817390257cef78013d0112481c503b4a3
Linux / Kernel
Package
- Name
- Kernel
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced3.9.0Fixed5.10.257
- Type
- ECOSYSTEM
- Events
-
Introduced5.11.0Fixed5.15.208
- Type
- ECOSYSTEM
- Events
-
Introduced5.16.0Fixed6.1.174
- Type
- ECOSYSTEM
- Events
-
Introduced6.2.0Fixed6.6.141
- Type
- ECOSYSTEM
- Events
-
Introduced6.7.0Fixed6.12.91
- Type
- ECOSYSTEM
- Events
-
Introduced6.13.0Fixed6.18.33
- Type
- ECOSYSTEM
- Events
-
Introduced6.19.0Fixed7.0.10