net: skbuff: propagate shared-frag marker through frag-transfer helpers

Summary

CVE	CVE-2026-43503
State	PUBLISHED
Assigner	Linux
Source Priority	CVE Program / NVD first with legacy fallback
Published	2026-05-23 12:17:02 UTC
Updated	2026-05-26 20:06:20 UTC
Description	In the Linux kernel, the following vulnerability has been resolved: net: skbuff: propagate shared-frag marker through frag-transfer helpers Two frag-transfer helpers (__pskb_copy_fclone() and skb_shift()) fail to propagate the SKBFL_SHARED_FRAG bit in skb_shinfo()->flags when moving frags from source to destination. __pskb_copy_fclone() defers the rest of the shinfo metadata to skb_copy_header() after copying frag descriptors, but that helper only carries over gso_{size,segs, type} and never touches skb_shinfo()->flags; skb_shift() moves frag descriptors directly and leaves flags untouched. As a result, the destination skb keeps a reference to the same externally-owned or page-cache-backed pages while reporting skb_has_shared_frag() as false. The mismatch is harmful in any in-place writer that uses skb_has_shared_frag() to decide whether shared pages must be detoured through skb_cow_data(). ESP input is one such writer (esp4.c, esp6.c), and a single nft 'dup to <local>' rule -- or any other nf_dup_ipv4() / xt_TEE caller -- is enough to land a pskb_copy()'d skb in esp_input() with the marker stripped, letting an unprivileged user write into the page cache of a root-owned read-only file via authencesn-ESN stray writes. Set SKBFL_SHARED_FRAG on the destination whenever frag descriptors were actually moved from the source. skb_copy() and skb_copy_expand() share skb_copy_header() too but linearize all paged data into freshly allocated head storage and emerge with nr_frags == 0, so skb_has_shared_frag() returns false on its own; they need no change. The same omission exists in skb_gro_receive() and skb_gro_receive_list(). The former moves the incoming skb's frag descriptors into the accumulator's last sub-skb via two paths (a direct frag-move loop and the head_frag + memcpy path); the latter chains the incoming skb whole onto p's frag_list. Downstream skb_segment() reads only skb_shinfo(p)->flags, and skb_segment_list() reuses each sub-skb's shinfo as the nskb -- both p and lp must carry the marker. The same omission also exists in tcp_clone_payload(), which builds an MTU probe skb by moving frag descriptors from skbs on sk_write_queue into a freshly allocated nskb. The helper falls into the same family and warrants the same fix for consistency; no TCP TX-side in-place writer is currently known to reach a user page through this gap, but a future consumer depending on the marker would regress silently. The same omission exists in skb_segment(): the per-iteration flag merge takes only head_skb's flag, and the inner switch that rebinds frag_skb to list_skb on head_skb-frags exhaustion does not fold the new frag_skb's flag into nskb. Fold frag_skb's flag at both sites so segments drawing frags from frag_list members carry the marker.

Risk And Classification

EPSS: 0.000240000 probability, percentile 0.072350000 (date 2026-05-27)

Vendor Declared Affected Products

Source	Vendor	Product	Version	Platforms
CNA	Linux	Linux	affected cef401de7be8c4e155c6746bfccf721a4fa5fab9 fbeab9555564a1b98e8582cd106dfe46c4606991 git	Not specified
CNA	Linux	Linux	affected cef401de7be8c4e155c6746bfccf721a4fa5fab9 179f1852bdedc300e373e807cc102cd81feff196 git	Not specified
CNA	Linux	Linux	affected cef401de7be8c4e155c6746bfccf721a4fa5fab9 12401fcfb01f53ccc63ab0a3246570fe8f3105ee git	Not specified
CNA	Linux	Linux	affected cef401de7be8c4e155c6746bfccf721a4fa5fab9 989214c66884d70716d83dc1d0bf5e16287bf349 git	Not specified
CNA	Linux	Linux	affected cef401de7be8c4e155c6746bfccf721a4fa5fab9 fc6eb39c55e97df2f94ad974b8a5bbcd019da2c8 git	Not specified
CNA	Linux	Linux	affected cef401de7be8c4e155c6746bfccf721a4fa5fab9 ff375cc75f9167168db38e0464a482d5fbc8d81d git	Not specified
CNA	Linux	Linux	affected cef401de7be8c4e155c6746bfccf721a4fa5fab9 9bc9d6d6967a2239aa57af2aa53554eddd640d20 git	Not specified
CNA	Linux	Linux	affected cef401de7be8c4e155c6746bfccf721a4fa5fab9 48f6a5356a33dd78e7144ae1faef95ffc990aae0 git	Not specified
CNA	Linux	Linux	affected 3.9	Not specified
CNA	Linux	Linux	unaffected 3.9 semver	Not specified
CNA	Linux	Linux	unaffected 5.10.257 5.10.* semver	Not specified
CNA	Linux	Linux	unaffected 5.15.208 5.15.* semver	Not specified
CNA	Linux	Linux	unaffected 6.1.174 6.1.* semver	Not specified
CNA	Linux	Linux	unaffected 6.6.141 6.6.* semver	Not specified
CNA	Linux	Linux	unaffected 6.12.91 6.12.* semver	Not specified
CNA	Linux	Linux	unaffected 6.18.33 6.18.* semver	Not specified
CNA	Linux	Linux	unaffected 7.0.10 7.0.* semver	Not specified
CNA	Linux	Linux	unaffected 7.1-rc5 * original_commit_for_fix	Not specified

References

Reference	Source	Link	Tags
git.kernel.org/stable/c/179f1852bdedc300e373e807cc102cd81feff196	416baaa9-dc9f-4396-8d5f-8c081fb06d67	git.kernel.org
git.kernel.org/stable/c/989214c66884d70716d83dc1d0bf5e16287bf349	416baaa9-dc9f-4396-8d5f-8c081fb06d67	git.kernel.org
git.kernel.org/stable/c/48f6a5356a33dd78e7144ae1faef95ffc990aae0	416baaa9-dc9f-4396-8d5f-8c081fb06d67	git.kernel.org
git.kernel.org/stable/c/12401fcfb01f53ccc63ab0a3246570fe8f3105ee	416baaa9-dc9f-4396-8d5f-8c081fb06d67	git.kernel.org
git.kernel.org/stable/c/fbeab9555564a1b98e8582cd106dfe46c4606991	416baaa9-dc9f-4396-8d5f-8c081fb06d67	git.kernel.org
git.kernel.org/stable/c/9bc9d6d6967a2239aa57af2aa53554eddd640d20	416baaa9-dc9f-4396-8d5f-8c081fb06d67	git.kernel.org
git.kernel.org/stable/c/ff375cc75f9167168db38e0464a482d5fbc8d81d	416baaa9-dc9f-4396-8d5f-8c081fb06d67	git.kernel.org
git.kernel.org/stable/c/fc6eb39c55e97df2f94ad974b8a5bbcd019da2c8	416baaa9-dc9f-4396-8d5f-8c081fb06d67	git.kernel.org
CVE Program record	CVE.ORG	www.cve.org	canonical
NVD vulnerability detail	NVD	nvd.nist.gov	canonical, analysis

No vendor comments have been submitted for this CVE.

There are currently no legacy QID mappings associated with this CVE.