CVE-2026-43503
net: skbuff: preserve shared-frag marker during coalescing
Description
In the Linux kernel, the following vulnerability has been resolved: net: skbuff: preserve shared-frag marker during coalescing skb_try_coalesce() can attach paged frags from @from to @to. If @from has SKBFL_SHARED_FRAG set, the resulting @to skb can contain the same externally-owned or page-cache-backed frags, but the shared-frag marker is currently lost. That breaks the invariant relied on by later in-place writers. In particular, ESP input checks skb_has_shared_frag() before deciding whether an uncloned nonlinear skb can skip skb_cow_data(). If TCP receive coalescing has moved shared frags into an unmarked skb, ESP can see skb_has_shared_frag() as false and decrypt in place over page-cache backed frags. Propagate SKBFL_SHARED_FRAG when skb_try_coalesce() transfers paged frags. The tailroom copy path does not need the marker because it copies bytes into @to's linear data rather than transferring frag descriptors.
INFO
Published Date :
May 23, 2026, 11:44 a.m.
Last Modified :
May 23, 2026, 11:44 a.m.
Remotely Exploit :
No
Source :
Linux
Affected Products
The following products are affected by CVE-2026-43503
vulnerability.
Even if cvefeed.io is aware of the exact versions of the
products
that
are
affected, the information is not represented in the table below.
No affected product recoded yet
Solution
- Update the Linux kernel to include the fix.
- Ensure skb_try_coalesce preserves the shared frag marker.
- Verify ESP input checks handle shared frags correctly.
We scan GitHub repositories to detect new proof-of-concept exploits. Following list is a collection of public exploits and proof-of-concepts, which have been published on GitHub (sorted by the most recently updated).
Results are limited to the first 15 repositories due to potential performance issues.
The following list is the news that have been mention
CVE-2026-43503 vulnerability anywhere in the article.
The following table lists the changes that have been made to the
CVE-2026-43503 vulnerability over time.
Vulnerability history details can be useful for understanding the evolution of a vulnerability, and for identifying the most recent changes that may impact the vulnerability's severity, exploitability, or other characteristics.
-
New CVE Received by 416baaa9-dc9f-4396-8d5f-8c081fb06d67
May. 23, 2026
Action Type Old Value New Value Added Description In the Linux kernel, the following vulnerability has been resolved: net: skbuff: preserve shared-frag marker during coalescing skb_try_coalesce() can attach paged frags from @from to @to. If @from has SKBFL_SHARED_FRAG set, the resulting @to skb can contain the same externally-owned or page-cache-backed frags, but the shared-frag marker is currently lost. That breaks the invariant relied on by later in-place writers. In particular, ESP input checks skb_has_shared_frag() before deciding whether an uncloned nonlinear skb can skip skb_cow_data(). If TCP receive coalescing has moved shared frags into an unmarked skb, ESP can see skb_has_shared_frag() as false and decrypt in place over page-cache backed frags. Propagate SKBFL_SHARED_FRAG when skb_try_coalesce() transfers paged frags. The tailroom copy path does not need the marker because it copies bytes into @to's linear data rather than transferring frag descriptors. Added Reference https://git.kernel.org/stable/c/2f2b16022a2e10ca7bccfb98db5ed2ec0f72641c Added Reference https://git.kernel.org/stable/c/3599e6b3cc1ada96883d496a50a210d3afbb6987 Added Reference https://git.kernel.org/stable/c/3884358a9286b17f389a72b1426fc4547c23c111 Added Reference https://git.kernel.org/stable/c/3bd9e113d50034db99d7ef69fd8e5242d15e414a Added Reference https://git.kernel.org/stable/c/760e1addc27ba1a7beb4a0a7e8b3e9ec49e7a34e Added Reference https://git.kernel.org/stable/c/78bf6b6bb19541d19fbda6242e7cfe2c682763c0 Added Reference https://git.kernel.org/stable/c/9d3e5fd19fe1063bf607219e8562fbd567b8e8d5