PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-46300 Linux CVE debrief

A vulnerability in the Linux kernel's network stack allows the SKBFL_SHARED_FRAG marker to be lost during socket buffer coalescing in skb_try_coalesce(). When TCP receive coalescing transfers paged fragments from one skb to another, the shared-frag marker indicating externally-owned or page-cache-backed memory is not propagated. This breaks an invariant relied upon by in-place writers, specifically ESP (Encapsulating Security Payload) input processing. ESP checks skb_has_shared_frag() to determine whether an uncloned nonlinear skb can skip skb_cow_data(). If the marker is missing due to prior coalescing, ESP may incorrectly perform in-place decryption over page-cache-backed fragments, leading to out-of-bounds write conditions. The vulnerability affects Linux kernel versions from 3.9 through 7.1-rc4. Patches are available from the stable kernel tree.

Vendor
Linux
Product
Unknown
CVSS
HIGH 7.8
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-23
Original CVE updated
2026-05-26
Advisory published
2026-05-23
Advisory updated
2026-05-26

Who should care

Linux system administrators running IPsec/ESP workloads; security teams managing VPN gateways; kernel maintainers for distributions shipping affected long-term support kernels

Technical summary

The vulnerability exists in net/core/skbuff.c where skb_try_coalesce() attaches paged fragments from a source skb to a destination skb without preserving the SKBFL_SHARED_FRAG flag. When the source skb has externally-owned fragments (e.g., from page cache or zero-copy receive), this marker indicates that in-place modification is unsafe. The ESP input path in net/ipv4/esp4.c and net/ipv6/esp6.c uses skb_has_shared_frag() as a guard before calling skb_cow_data() to ensure writable buffers. If coalescing has stripped the marker, ESP proceeds with in-place decryption, potentially writing decrypted plaintext over page-cache pages. This constitutes an out-of-bounds write (CWE-787) with local attack vector and high impact to confidentiality, integrity, and availability. The fix propagates SKBFL_SHARED_FRAG when paged fragments are transferred during coalescing.

Defensive priority

HIGH

Recommended defensive actions

  • Apply stable kernel patches for affected versions (5.10.258+, 5.15.209+, 6.1.175+, 6.6.142+, 6.12.92+, 6.18.34+, 7.0.11+, or 7.1-rc5+)
  • Prioritize patching systems handling IPsec/ESP traffic with TCP segmentation offload enabled
  • Monitor for kernel updates from distribution vendors for long-term support releases
  • Review systems running kernel versions 3.9 through 7.1-rc4 for exposure to IPsec workloads

Evidence notes

CVE published 2026-05-23; modified 2026-05-26. NVD analysis confirms affected versions spanning 3.9 through 7.1-rc4. Multiple stable kernel patches released.

Official resources

2026-05-23