CVE-2026-46300

HIGH EPSS 88.2%
Published May 23, 20261mo ago · Modified Jun 17, 20262w ago
7.8 CVSS 3.1
High
Find Similar
Published May 23, 2026 1mo ago
Last Modified Jun 17, 2026 2w ago

Description

In the Linux kernel, the following vulnerability has been resolved: net: skbuff: preserve shared-frag marker during coalescing skb_try_coalesce() can attach paged frags from @from to @to. If @from has SKBFL_SHARED_FRAG set, the resulting @to skb can contain the same externally-owned or page-cache-backed frags, but the shared-frag marker is currently lost. That breaks the invariant relied on by later in-place writers. In particular, ESP input checks skb_has_shared_frag() before deciding whether an uncloned nonlinear skb can skip skb_cow_data(). If TCP receive coalescing has moved shared frags into an unmarked skb, ESP can see skb_has_shared_frag() as false and decrypt in place over page-cache backed frags. Propagate SKBFL_SHARED_FRAG when skb_try_coalesce() transfers paged frags. The tailroom copy path does not need the marker because it copies bytes into @to's linear data rather than transferring frag descriptors.

CVSS Details

Base Score
7.8
Exploitability
1.8
Impact
5.9
Vector string
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector Local
Attack Complexity Low
Privileges Required Low
User Interaction None
Scope Unchanged
Confidentiality High
Integrity High
Availability High

Threat Intelligence

EPSS Exploit Probability
88.2% percentile
Exploit & Patch Status
No Known Exploit
Patch Available

Weaknesses 1

CWE-787 Out-of-bounds Write Memory Safety

Affected Products 11

VendorProductVersionRange
linuxlinux_kernel*≥3.9  –  ≤5.10.257
linuxlinux_kernel*≥5.11  –  <5.15.208
linuxlinux_kernel*≥5.16  –  <6.1.174
linuxlinux_kernel*≥6.2  –  <6.6.141
linuxlinux_kernel*≥6.7  –  <6.12.91
linuxlinux_kernel*≥6.13  –  <6.18.33
linuxlinux_kernel*≥6.19  –  <7.0.10
linuxlinux_kernel7.1any
linuxlinux_kernel7.1any
linuxlinux_kernel7.1any
linuxlinux_kernel7.1any

References 12

  • openwall.com http://www.openwall.com/lists/oss-security/2026/05/13/5
    Mailing List
  • openwall.com http://www.openwall.com/lists/oss-security/2026/05/21/11
    Mailing List
  • openwall.com http://www.openwall.com/lists/oss-security/2026/05/21/12
    Mailing List
  • openwall.com http://www.openwall.com/lists/oss-security/2026/05/21/13
    Mailing List
  • git.kernel.org https://git.kernel.org/stable/c/2f2b16022a2e10ca7bccfb98db5ed2ec0f72641c
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/3599e6b3cc1ada96883d496a50a210d3afbb6987
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/3884358a9286b17f389a72b1426fc4547c23c111
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/3bd9e113d50034db99d7ef69fd8e5242d15e414a
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/760e1addc27ba1a7beb4a0a7e8b3e9ec49e7a34e
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/78bf6b6bb19541d19fbda6242e7cfe2c682763c0
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/9d3e5fd19fe1063bf607219e8562fbd567b8e8d5
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/f84eca5817390257cef78013d0112481c503b4a3
    Patch

Remediation

  • git.kernel.org https://git.kernel.org/stable/c/2f2b16022a2e10ca7bccfb98db5ed2ec0f72641c
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/3599e6b3cc1ada96883d496a50a210d3afbb6987
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/3884358a9286b17f389a72b1426fc4547c23c111
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/3bd9e113d50034db99d7ef69fd8e5242d15e414a
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/760e1addc27ba1a7beb4a0a7e8b3e9ec49e7a34e
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/78bf6b6bb19541d19fbda6242e7cfe2c682763c0
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/9d3e5fd19fe1063bf607219e8562fbd567b8e8d5
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/f84eca5817390257cef78013d0112481c503b4a3
    Patch