Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
7.8
CVE-2026-46300: Linux Kernel: Coalescing Fragments Can Cause Data Corruption
CVE-2026-46300
Summary
This issue affects the Linux kernel's networking component. If not fixed, it could allow unauthorized access to encrypted data. To address this, update your Linux kernel to the latest version.
What to do
No fix is available yet. Check with your software vendor for updates.
Affected software
| Vendor | Product | Affected versions |
|---|---|---|
| linux | linux_kernel |
>= 3.9, <= 5.10.257 >= 5.11, < 5.15.208 >= 5.16, < 6.1.174 >= 6.2, < 6.6.141 >= 6.7, < 6.12.91 >= 6.13, < 6.18.33 >= 6.19, < 7.0.10 7.1 cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* |
Original title
In the Linux kernel, the following vulnerability has been resolved:
net: skbuff: preserve shared-frag marker during coalescing
skb_try_coalesce() can attach paged frags from @from to @to. If @fr...
Original description
In the Linux kernel, the following vulnerability has been resolved:
net: skbuff: preserve shared-frag marker during coalescing
skb_try_coalesce() can attach paged frags from @from to @to. If @from
has SKBFL_SHARED_FRAG set, the resulting @to skb can contain the same
externally-owned or page-cache-backed frags, but the shared-frag marker
is currently lost.
That breaks the invariant relied on by later in-place writers. In
particular, ESP input checks skb_has_shared_frag() before deciding
whether an uncloned nonlinear skb can skip skb_cow_data(). If TCP
receive coalescing has moved shared frags into an unmarked skb, ESP can
see skb_has_shared_frag() as false and decrypt in place over page-cache
backed frags.
Propagate SKBFL_SHARED_FRAG when skb_try_coalesce() transfers paged
frags. The tailroom copy path does not need the marker because it copies
bytes into @to's linear data rather than transferring frag descriptors.
net: skbuff: preserve shared-frag marker during coalescing
skb_try_coalesce() can attach paged frags from @from to @to. If @from
has SKBFL_SHARED_FRAG set, the resulting @to skb can contain the same
externally-owned or page-cache-backed frags, but the shared-frag marker
is currently lost.
That breaks the invariant relied on by later in-place writers. In
particular, ESP input checks skb_has_shared_frag() before deciding
whether an uncloned nonlinear skb can skip skb_cow_data(). If TCP
receive coalescing has moved shared frags into an unmarked skb, ESP can
see skb_has_shared_frag() as false and decrypt in place over page-cache
backed frags.
Propagate SKBFL_SHARED_FRAG when skb_try_coalesce() transfers paged
frags. The tailroom copy path does not need the marker because it copies
bytes into @to's linear data rather than transferring frag descriptors.
nvd CVSS3.1
7.8
Vulnerability type
CWE-787
Out-of-bounds Write
- https://git.kernel.org/stable/c/2f2b16022a2e10ca7bccfb98db5ed2ec0f72641c Patch
- https://git.kernel.org/stable/c/3599e6b3cc1ada96883d496a50a210d3afbb6987 Patch
- https://git.kernel.org/stable/c/3884358a9286b17f389a72b1426fc4547c23c111 Patch
- https://git.kernel.org/stable/c/3bd9e113d50034db99d7ef69fd8e5242d15e414a Patch
- https://git.kernel.org/stable/c/760e1addc27ba1a7beb4a0a7e8b3e9ec49e7a34e Patch
- https://git.kernel.org/stable/c/78bf6b6bb19541d19fbda6242e7cfe2c682763c0 Patch
- https://git.kernel.org/stable/c/9d3e5fd19fe1063bf607219e8562fbd567b8e8d5 Patch
- https://git.kernel.org/stable/c/f84eca5817390257cef78013d0112481c503b4a3 Patch
- http://www.openwall.com/lists/oss-security/2026/05/13/5 Mailing List
- http://www.openwall.com/lists/oss-security/2026/05/21/11 Mailing List
- http://www.openwall.com/lists/oss-security/2026/05/21/12 Mailing List
- http://www.openwall.com/lists/oss-security/2026/05/21/13 Mailing List
Published: 23 May 2026 · Updated: 31 May 2026 · First seen: 26 May 2026