PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-43503 Linux CVE debrief

This CVE addresses a vulnerability in the Linux kernel's socket buffer (skbuff) subsystem where the SKBFL_SHARED_FRAG flag was not properly propagated through several fragment-transfer helper functions. When fragment descriptors are moved between skbuffs, this flag indicates that the destination buffer references externally-owned or page-cache-backed pages that require copy-on-write handling. The omission allowed destination buffers to retain references to shared pages while reporting skb_has_shared_frag() as false, bypassing protective copy mechanisms in in-place writers. The vulnerability was exploitable through ESP input processing combined with nftables packet duplication rules, potentially enabling unprivileged writes to page cache of root-owned read-only files. The fix ensures SKBFL_SHARED_FRAG is set on destination buffers whenever fragment descriptors are transferred, affecting __pskb_copy_fclone(), skb_shift(), skb_gro_receive(), skb_gro_receive_list(), tcp_clone_payload(), and skb_segment().

Vendor
Linux
Product
Unknown
CVSS
Unknown
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-23
Original CVE updated
2026-05-26
Advisory published
2026-05-23
Advisory updated
2026-05-26

Who should care

Linux system administrators, kernel maintainers, security teams operating IPsec/VPN infrastructure, and organizations using nftables with packet duplication features

Technical summary

The vulnerability exists in multiple skbuff helper functions that transfer page fragment descriptors between socket buffers without propagating the SKBFL_SHARED_FRAG flag. This flag is critical for copy-on-write decisions: when set, skb_has_shared_frag() returns true and triggers skb_cow_data() to create private copies before in-place modification. Affected helpers include __pskb_copy_fclone(), skb_shift(), skb_gro_receive(), skb_gro_receive_list(), tcp_clone_payload(), and skb_segment(). The ESP input path (esp4.c, esp6.c) uses skb_has_shared_frag() to protect against modifying shared pages, but when combined with nf_dup_ipv4() or xt_TEE (triggered by nftables 'dup to' rules), the copied skb arrives with the flag stripped. This allows subsequent authencesn-ESN processing to perform stray writes into page cache pages. The fix adds flag propagation at all identified transfer points, ensuring destination buffers correctly indicate shared page references.

Defensive priority

high

Recommended defensive actions

  • Apply kernel updates containing the referenced stable branch commits when available from your Linux distribution
  • Monitor distribution security advisories for backported fixes to affected kernel versions
  • Review systems running kernel versions with ESP/IPsec and nftables/iptables TEE/DUP targets for potential exposure
  • Consider disabling unprivileged user namespaces or restricting nftables rulesets as interim hardening measures where patching is delayed
  • Audit for presence of nftables rules using 'dup to' or xt_TEE targets that could trigger the vulnerable code path

Evidence notes

The vulnerability description is sourced from the official CVE record published 2026-05-23 and modified 2026-05-26. Multiple kernel stable branch commits are referenced in the source data, indicating backports across supported kernel versions. The vendor is identified as the Linux Kernel project based on reference domain analysis. No CVSS score or severity rating is currently assigned in the source data.

Official resources

2026-05-23T12:17:02.547Z