HIGH
Fragnesia
CVE-2026-46300
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
KernelScan AI7.8HIGH
01Description
In the Linux kernel, the following vulnerability has been resolved: net: skbuff: preserve shared-frag marker during coalescing skb_try_coalesce() can attach paged frags from @from to @to. If @from has SKBFL_SHARED_FRAG set, the resulting @to skb can contain the same externally-owned or page-cache-backed frags, but the shared-frag marker is currently lost. That breaks the invariant relied on by later in-place writers. In particular, ESP input checks skb_has_shared_frag() before deciding whether an uncloned nonlinear skb can skip skb_cow_data(). If TCP receive coalescing has moved shared frags into an unmarked skb, ESP can see skb_has_shared_frag() as false and decrypt in place over page-cache backed frags. Propagate SKBFL_SHARED_FRAG when skb_try_coalesce() transfers paged frags. The tailroom copy path does not need the marker because it copies bytes into @to's linear data rather than transferring frag descriptors.
02KernelScan AI Analysis
Risk summary
Any Linux system with the XFRM ESP-in-TCP subsystem loaded and unprivileged user namespace access (the default on most distributions) is at risk. A public, fully-functional proof-of-concept exploit is available that achieves reliable local privilege escalation to root. The attack leaves no trace on disk as it modifies only the in-memory page cache.
Vulnerability analysis
Summary: A type confusion vulnerability in the ESP-in-TCP receive path allows an unprivileged local attacker to overwrite page-cache contents of read-only files, leading to local privilege escalation to root.
Root Cause: When a TCP socket transitions to the ESP-in-TCP ULP after file data has been spliced into its receive queue via splice(2), the kernel misinterprets the queued file-backed skb fragments as ESP ciphertext. The subsequent AES-GCM decryption XORs keystream bytes directly into the shared page-cache pages, corrupting the file contents.
Attack Surface: Local access, reachable by any user capable of creating user namespaces (a default configuration). The attacker must be able to call splice(2) on a readable file, set up an ESP-in-TCP socket, and trigger the ULP transition.
Fix Mechanism: The fix ensures that the shared-frag (page-cache) marker on skb fragments is properly propagated during skb coalesce and clone operations, preventing file pages from being processed as network ciphertext. Multiple patch revisions address variant paths including skb_try_coalesce and __pskb_copy_fclone.
03Fix Versions
| Branch | Fixed in | Patch commit |
|---|---|---|
| 5.10 | 5.10.257 | 3599e6b3cc1a |
| 5.15 | 5.15.208 | 2f2b16022a2e |
| 6.1 | 6.1.174 | 9d3e5fd19fe1 |
| 6.12 | 6.12.91 | 760e1addc27b |
| 6.18 | 6.18.33 | 3bd9e113d500 |
| 6.6 | 6.6.141 | 78bf6b6bb195 |
| 7.0 | 7.0.10 | 3884358a9286 |
| mainline | 7.1-rc5 | f84eca581739 |