CVE-2026-46300
net: skbuff: preserve shared-frag marker during coalescing
In the Linux kernel, the following vulnerability has been resolved:
net: skbuff: preserve shared-frag marker during coalescing
skb_try_coalesce() can attach paged frags from @from to @to. If @from
has SKBFL_SHARED_FRAG set, the resulting @to skb can contain the same
externally-owned or page-cache-backed frags, but the shared-frag marker
is currently lost.
That breaks the invariant relied on by later in-place writers. In
particular, ESP input checks skb_has_shared_frag() before deciding
whether an uncloned nonlinear skb can skip skb_cow_data(). If TCP
receive coalescing has moved shared frags into an unmarked skb, ESP can
see skb_has_shared_frag() as false and decrypt in place over page-cache
backed frags.
Propagate SKBFL_SHARED_FRAG when skb_try_coalesce() transfers paged
frags. The tailroom copy path does not need the marker because it copies
bytes into @to's linear data rather than transferring frag descriptors.
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Affected products
Linux · Linuxpublic PoCs found — 12
githubgithub.com/0xBlackash/CVE-2026-46300★ 9githubgithub.com/Koshmare-Blossom/Fragnesia-go★ 2githubgithub.com/Sentebale/CVE-2026-46300★ 1githubgithub.com/HORKimhab/CVE-2026-46300★ 1githubgithub.com/BenedictEjepu/CVE-2026-46300-Fragnesia---TryHackMe-Lab-Walkthrough★ 0githubgithub.com/BenedictEjepu/CVE-2026-46300-Fragnesia---TryHackMe-Lab-Project★ 0githubgithub.com/azilRababe/CVE-2026-46300★ 0githubgithub.com/AzDevops143/FRAGNESIA-Charan-cve-2026-46300★ 0githubgithub.com/ExploitEoom/CVE-2026-46300★ 0githubgithub.com/Maxime288/Fragnesia-CVE-2026-46300★ 0githubgithub.com/1neptune/Fragnesia★ 0exploitdbwww.exploit-db.com/exploits/52591unverified⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.
Want to know if your infrastructure is exposed to this?
Talk to TrueHacking →References
https://git.kernel.org/stable/c/2f2b16022a2e10ca7bccfb98db5ed2ec0f72641chttps://git.kernel.org/stable/c/3599e6b3cc1ada96883d496a50a210d3afbb6987https://git.kernel.org/stable/c/3884358a9286b17f389a72b1426fc4547c23c111https://git.kernel.org/stable/c/3bd9e113d50034db99d7ef69fd8e5242d15e414ahttps://git.kernel.org/stable/c/760e1addc27ba1a7beb4a0a7e8b3e9ec49e7a34ehttps://git.kernel.org/stable/c/78bf6b6bb19541d19fbda6242e7cfe2c682763c0https://git.kernel.org/stable/c/9d3e5fd19fe1063bf607219e8562fbd567b8e8d5https://git.kernel.org/stable/c/f84eca5817390257cef78013d0112481c503b4a3http://www.openwall.com/lists/oss-security/2026/05/13/5http://www.openwall.com/lists/oss-security/2026/05/21/11http://www.openwall.com/lists/oss-security/2026/05/21/12http://www.openwall.com/lists/oss-security/2026/05/21/13