{"id":"CVE-2026-46300","summary":"net: skbuff: preserve shared-frag marker during coalescing","details":"In the Linux kernel, the following vulnerability has been resolved:\n\nnet: skbuff: preserve shared-frag marker during coalescing\n\nskb_try_coalesce() can attach paged frags from @from to @to.  If @from\nhas SKBFL_SHARED_FRAG set, the resulting @to skb can contain the same\nexternally-owned or page-cache-backed frags, but the shared-frag marker\nis currently lost.\n\nThat breaks the invariant relied on by later in-place writers.  In\nparticular, ESP input checks skb_has_shared_frag() before deciding\nwhether an uncloned nonlinear skb can skip skb_cow_data().  If TCP\nreceive coalescing has moved shared frags into an unmarked skb, ESP can\nsee skb_has_shared_frag() as false and decrypt in place over page-cache\nbacked frags.\n\nPropagate SKBFL_SHARED_FRAG when skb_try_coalesce() transfers paged\nfrags.  The tailroom copy path does not need the marker because it copies\nbytes into @to's linear data rather than transferring frag descriptors.","modified":"2026-06-18T03:54:41.916063137Z","published":"2026-05-23T11:44:02.231Z","related":["ALSA-2026:19568","ALSA-2026:19569","ALSA-2026:19664","ALSA-2026:19666","ALSA-2026:A008","ALSA-2026:A009","ALSA-2026:A010","CGA-6wrf-p5j5-r7h4","SUSE-SU-2026:1899-1","SUSE-SU-2026:1900-1","SUSE-SU-2026:1904-1","SUSE-SU-2026:1907-1","SUSE-SU-2026:1908-1","SUSE-SU-2026:1909-1","SUSE-SU-2026:1959-1","SUSE-SU-2026:1978-1","SUSE-SU-2026:2111-1","SUSE-SU-2026:2131-1","SUSE-SU-2026:2133-1","SUSE-SU-2026:2134-1","SUSE-SU-2026:2137-1","SUSE-SU-2026:2141-1","SUSE-SU-2026:2148-1","SUSE-SU-2026:2149-1","SUSE-SU-2026:2153-1","SUSE-SU-2026:2158-1","SUSE-SU-2026:2159-1","SUSE-SU-2026:21673-1","SUSE-SU-2026:2168-1","SUSE-SU-2026:21684-1","SUSE-SU-2026:21689-1","SUSE-SU-2026:21690-1","SUSE-SU-2026:2172-1","SUSE-SU-2026:21749-1","SUSE-SU-2026:2176-1","SUSE-SU-2026:2178-1","SUSE-SU-2026:21782-1","SUSE-SU-2026:21800-1","SUSE-SU-2026:2181-1","SUSE-SU-2026:21886-1","SUSE-SU-2026:21887-1","SUSE-SU-2026:21888-1","SUSE-SU-2026:21889-1","SUSE-SU-2026:2189-1","SUSE-SU-2026:21890-1","SUSE-SU-2026:21891-1","SUSE-SU-2026:21892-1","SUSE-SU-2026:21893-1","SUSE-SU-2026:21894-1","SUSE-SU-2026:21895-1","SUSE-SU-2026:21896-1","SUSE-SU-2026:21900-1","SUSE-SU-2026:21901-1","SUSE-SU-2026:21902-1","SUSE-SU-2026:21903-1","SUSE-SU-2026:21904-1","SUSE-SU-2026:21905-1","SUSE-SU-2026:21906-1","SUSE-SU-2026:21907-1","SUSE-SU-2026:21908-1","SUSE-SU-2026:21909-1","SUSE-SU-2026:2191-1","SUSE-SU-2026:21910-1","SUSE-SU-2026:21921-1","SUSE-SU-2026:21922-1","SUSE-SU-2026:21923-1","SUSE-SU-2026:21924-1","SUSE-SU-2026:21925-1","SUSE-SU-2026:21926-1","SUSE-SU-2026:21927-1","SUSE-SU-2026:21928-1","SUSE-SU-2026:21929-1","SUSE-SU-2026:21930-1","SUSE-SU-2026:21931-1","SUSE-SU-2026:21932-1","SUSE-SU-2026:21933-1","SUSE-SU-2026:21934-1","SUSE-SU-2026:21935-1","SUSE-SU-2026:21936-1","SUSE-SU-2026:21937-1","SUSE-SU-2026:21938-1","SUSE-SU-2026:21939-1","SUSE-SU-2026:21940-1","SUSE-SU-2026:21941-1","SUSE-SU-2026:21942-1","SUSE-SU-2026:21953-1","SUSE-SU-2026:21956-1","SUSE-SU-2026:21957-1","SUSE-SU-2026:21958-1","SUSE-SU-2026:21959-1","SUSE-SU-2026:21960-1","SUSE-SU-2026:21961-1","SUSE-SU-2026:21962-1","SUSE-SU-2026:21963-1","SUSE-SU-2026:21968-1","SUSE-SU-2026:21969-1","SUSE-SU-2026:21970-1","SUSE-SU-2026:21971-1","SUSE-SU-2026:21972-1","SUSE-SU-2026:21973-1","SUSE-SU-2026:21974-1","SUSE-SU-2026:21979-1","SUSE-SU-2026:21982-1","SUSE-SU-2026:21983-1","SUSE-SU-2026:2199-1","SUSE-SU-2026:2200-1","SUSE-SU-2026:22029-1","SUSE-SU-2026:22030-1","SUSE-SU-2026:22031-1","SUSE-SU-2026:22032-1","SUSE-SU-2026:22033-1","SUSE-SU-2026:22034-1","SUSE-SU-2026:22035-1","SUSE-SU-2026:22038-1","SUSE-SU-2026:22039-1","SUSE-SU-2026:22040-1","SUSE-SU-2026:22042-1","SUSE-SU-2026:2207-1","SUSE-SU-2026:2214-1","SUSE-SU-2026:2238-1","openSUSE-SU-2026:10954-1","openSUSE-SU-2026:20758-1"],"database_specific":{"cna_assigner":"Linux","osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/46xxx/CVE-2026-46300.json"},"references":[{"type":"WEB","url":"http://www.openwall.com/lists/oss-security/2026/05/13/5"},{"type":"WEB","url":"http://www.openwall.com/lists/oss-security/2026/05/21/11"},{"type":"WEB","url":"http://www.openwall.com/lists/oss-security/2026/05/21/12"},{"type":"WEB","url":"http://www.openwall.com/lists/oss-security/2026/05/21/13"},{"type":"WEB","url":"https://git.kernel.org/stable/c/2f2b16022a2e10ca7bccfb98db5ed2ec0f72641c"},{"type":"WEB","url":"https://git.kernel.org/stable/c/3599e6b3cc1ada96883d496a50a210d3afbb6987"},{"type":"WEB","url":"https://git.kernel.org/stable/c/3884358a9286b17f389a72b1426fc4547c23c111"},{"type":"WEB","url":"https://git.kernel.org/stable/c/3bd9e113d50034db99d7ef69fd8e5242d15e414a"},{"type":"WEB","url":"https://git.kernel.org/stable/c/760e1addc27ba1a7beb4a0a7e8b3e9ec49e7a34e"},{"type":"WEB","url":"https://git.kernel.org/stable/c/78bf6b6bb19541d19fbda6242e7cfe2c682763c0"},{"type":"WEB","url":"https://git.kernel.org/stable/c/9d3e5fd19fe1063bf607219e8562fbd567b8e8d5"},{"type":"WEB","url":"https://git.kernel.org/stable/c/f84eca5817390257cef78013d0112481c503b4a3"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/46xxx/CVE-2026-46300.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-46300"},{"type":"PACKAGE","url":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"cef401de7be8c4e155c6746bfccf721a4fa5fab9"},{"fixed":"3599e6b3cc1ada96883d496a50a210d3afbb6987"},{"fixed":"2f2b16022a2e10ca7bccfb98db5ed2ec0f72641c"},{"fixed":"9d3e5fd19fe1063bf607219e8562fbd567b8e8d5"},{"fixed":"78bf6b6bb19541d19fbda6242e7cfe2c682763c0"},{"fixed":"760e1addc27ba1a7beb4a0a7e8b3e9ec49e7a34e"},{"fixed":"3bd9e113d50034db99d7ef69fd8e5242d15e414a"},{"fixed":"3884358a9286b17f389a72b1426fc4547c23c111"},{"fixed":"f84eca5817390257cef78013d0112481c503b4a3"}]}],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-46300.json"}},{"package":{"name":"Kernel","ecosystem":"Linux"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"3.9.0"},{"fixed":"5.10.257"}]},{"type":"ECOSYSTEM","events":[{"introduced":"5.11.0"},{"fixed":"5.15.208"}]},{"type":"ECOSYSTEM","events":[{"introduced":"5.16.0"},{"fixed":"6.1.174"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.2.0"},{"fixed":"6.6.141"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.7.0"},{"fixed":"6.12.91"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.13.0"},{"fixed":"6.18.33"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.19.0"},{"fixed":"7.0.10"}]}],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-46300.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}]}