CVE-2026-46300EXPLOITEDPATCHED

linux · linux_kernel

net: skbuff: preserve shared-frag marker during coalescing

Description

In the Linux kernel, the following vulnerability has been resolved: net: skbuff: preserve shared-frag marker during coalescing skb_try_coalesce() can attach paged frags from @from to @to. If @from has SKBFL_SHARED_FRAG set, the resulting @to skb can contain the same externally-owned or page-cache-backed frags, but the shared-frag marker is currently lost. That breaks the invariant relied on by later in-place writers. In particular, ESP input checks skb_has_shared_frag() before deciding whether an uncloned nonlinear skb can skip skb_cow_data(). If TCP receive coalescing has moved shared frags into an unmarked skb, ESP can see skb_has_shared_frag() as false and decrypt in place over page-cache backed frags. Propagate SKBFL_SHARED_FRAG when skb_try_coalesce() transfers paged frags. The tailroom copy path does not need the marker because it copies bytes into @to's linear data rather than transferring frag descriptors.

Affected Products

Vendor	Product	Versions
linux	linux_kernel	cef401de7be8c4e155c6746bfccf721a4fa5fab9, cef401de7be8c4e155c6746bfccf721a4fa5fab9, cef401de7be8c4e155c6746bfccf721a4fa5fab9, cef401de7be8c4e155c6746bfccf721a4fa5fab9, cef401de7be8c4e155c6746bfccf721a4fa5fab9, cef401de7be8c4e155c6746bfccf721a4fa5fab9, cef401de7be8c4e155c6746bfccf721a4fa5fab9, cef401de7be8c4e155c6746bfccf721a4fa5fab9, 3.9

Also Affects

Downstream vendors/products affected by this vulnerability

Vendor	Product	Source	Confidence
fedora	fedora linux	cert_advisory	90%
linux	linux	mitre_affected	90%
open source	open source linux kernel	cert_advisory	90%

References

Related News (19 articles)

Tier B

CERT-FR2d ago

Multiples vulnérabilités dans le noyau Linux d'Ubuntu (26 juin 2026)

→ No new info (linked only)

Tier B

CERT-FR18d ago

Multiples vulnérabilités dans les produits Microsoft (10 juin 2026)

→ No new info (linked only)

Tier B

CERT-FR23d ago

Multiples vulnérabilités dans le noyau Linux de SUSE (05 juin 2026)

→ No new info (linked only)

Tier B

CERT-FR30d ago

Multiples vulnérabilités dans le noyau Linux de Debian (29 mai 2026)

→ No new info (linked only)

Tier C

Exploit-DB30d ago

[local] Linux Kernel - Local Privilege Escalation

→ No new info (linked only)

Tier A

Microsoft MSRC31d ago

CVE-2026-46300 net: skbuff: preserve shared-frag marker during coalescing

→ No new info (linked only)

Tier C

Linux Kernel CVEs35d ago

CVE-2026-46300: net: skbuff: propagate shared-frag marker through frag-transfer helpers

→ No new info (linked only)

Tier C

oss-security36d ago

Re: Linux kernel: Dirty Frag variants — fix merged into netdev

→ No new info (linked only)

Tier B

CERT-FR37d ago

Multiples vulnérabilités dans le noyau Linux de Red Hat (22 mai 2026)

→ No new info (linked only)

Tier B

CERT-FR37d ago

Multiples vulnérabilités dans le noyau Linux de SUSE (22 mai 2026)

→ No new info (linked only)

Tier C

oss-security37d ago

Re: Linux kernel: Dirty Frag variants — fix merged into netdev

→ No new info (linked only)

Tier D

Heise Security43d ago

„Fragnesia“: Nächste Rechteausweitungslücke im Linux-Kernel

→ No new info (linked only)

Tier B

BSI Advisories43d ago

[NEU] [hoch] Linux Kernel (Fragnesia): Schwachstelle ermöglicht Erlangen von Administratorrechten

→ No new info (linked only)

Tier D

SecurityWeek44d ago

New Linux Kernel Vulnerability Fragnesia Allows Root Privilege Escalation

→ No new info (linked only)

Tier D

Infosecurity Magazine44d ago

New Fragnesia Flaw Hands Linux Local Users Root Access

→ No new info (linked only)

Tier D

BleepingComputer44d ago

New Fragnesia Linux flaw lets attackers gain root privileges

→ No new info (linked only)

Tier D

The Hacker News44d ago

New Fragnesia Linux Kernel LPE Grants Root Access via Page Cache Corruption

→ No new info (linked only)

Tier C

VulDB44d ago

CVE-2026-46300 | Linux Kernel XFRM ESP-in-TCP Subsystem Fragnesia write-what-where condition

→ No new info (linked only)

Tier C

oss-security45d ago

Re: Linux kernel LPE ("fragnesia", copyfail 3.0)

→ No new info (linked only)

CVSS 3.17.8 HIGH

VectorCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CISA KEV❌ No

Actively exploited✅ Yes

Patch available

5.10.2575.15.2086.1.174

PublishedMay 13, 2026

Last enriched29d agov10

Community Vote

0 upvotes0 downvotes

No votes yet

Related CVEs (5)

HIGHCVE-2026-31431EXPKEV

crypto: algif_aead - Revert to operating out-of-place

Trending: 116

HIGHCVE-2026-43284EXPKEV

xfrm: esp: avoid in-place decrypt on shared skb frags

Trending: 111

HIGHCVE-2026-43500EXPKEV

rxrpc: Also unshare DATA/RESPONSE packets when paged frags are present

Trending: 105

HIGHCVE-2026-46333EXP

ptrace: slightly saner 'get_dumpable()' logic

Trending: 73

HIGHCVE-2026-43503EXP

net: skbuff: propagate shared-frag marker through frag-transfer helpers

Trending: 57

Pin to Dashboard

Verification

State: verified

Confidence: 0%

Vulnerability Timeline

CVE Published

May 13, 2026

Discovered by ZDM

May 13, 2026

Updated: severity

May 14, 2026

Updated: affectedVersions, tags

May 14, 2026

Updated: description, tags

May 14, 2026

Updated: description, affectedVersions, tags

May 14, 2026

Updated: description, patchAvailable

May 14, 2026

Updated: description, tags

May 15, 2026

Updated: patchAvailable

May 21, 2026

Updated: affectedVersions, patchAvailable

May 23, 2026

Updated: description, affectedVersions, severity, cweIds, tags

May 29, 2026

Actively Exploited

Jun 14, 2026

Exploit Available

Jun 14, 2026

Patch Available

Jun 14, 2026

Version History

v10

Last enriched 29d ago

v10Tier C29d ago

Updated description with detailed exploit information, changed vendor to 'Linux Kernel', added affected versions, updated severity to 'HIGH', and included new CWE IDs and tags.

descriptionaffectedVersionsseveritycweIdstags

via Exploit-DB

v9Tier C35d ago

Updated affected versions to include specific kernel versions and added fixed version numbers.

affectedVersionspatchAvailable

via Linux Kernel CVEs

v8Tier C37d ago

Updated patch information with a specific fix for CVE-2026-46300.

patchAvailable

via oss-security

v7Tier D43d ago

Updated description with technical details, changed vendor to Zellic, updated severity to HIGH, and added CVSS estimate of 7.8.

descriptiontags

via Heise Security

v6Tier D44d ago

Updated description with detailed technical information and noted that patches are now available.

descriptionpatchAvailable

via SecurityWeek

v5Tier D44d ago

Updated description with technical details about the exploitation method and added new tags related to the vulnerability.

descriptionaffectedVersionstags

via Infosecurity Magazine

v4Tier D44d ago

Updated description with new details, added CVSS score of 7.8, and included new CVE ID.

descriptiontags

via The Hacker News

v3Tier D44d ago

Updated description with new technical details, added affected versions, changed severity to HIGH, and included new relevant tags.

affectedVersionstags

via BleepingComputer

v2Tier C44d ago

Updated severity from HIGH to CRITICAL.

severity

via VulDB

v145d ago

Initial creation