cbcvebase.
CVE-2026-46300
published 2026-05-23

CVE-2026-46300: In the Linux kernel, the following vulnerability has been resolved: net: skbuff: preserve shared-frag marker during coalescing skb_try_coalesce() can attach…

PriorityP354high7.8CVSS 3.1
AVLACLPRLUINSUCHIHAH
EXPLOIT
EPSS
3.66%
88.2th percentile
In the Linux kernel, the following vulnerability has been resolved: net: skbuff: preserve shared-frag marker during coalescing skb_try_coalesce() can attach paged frags from @from to @to. If @from has SKBFL_SHARED_FRAG set, the resulting @to skb can contain the same externally-owned or page-cache-backed frags, but the shared-frag marker is currently lost. That breaks the invariant relied on by later in-place writers. In particular, ESP input checks skb_has_shared_frag() before deciding whether an uncloned nonlinear skb can skip skb_cow_data(). If TCP receive coalescing has moved shared frags into an unmarked skb, ESP can see skb_has_shared_frag() as false and decrypt in place over page-cache backed frags. Propagate SKBFL_SHARED_FRAG when skb_try_coalesce() transfers paged frags. The tailroom copy path does not need the marker because it copies bytes into @to's linear data rather than transferring frag descriptors.

Affected

66 ranges· showing 25
VendorProductVersion rangeFixed in
linuxlinux
linuxlinux>= cef401de7be8c4e155c6746bfccf721a4fa5fab9 < 3599e6b3cc1ada96883d496a50a210d3afbb69873599e6b3cc1ada96883d496a50a210d3afbb6987
linuxlinux>= cef401de7be8c4e155c6746bfccf721a4fa5fab9 < 2f2b16022a2e10ca7bccfb98db5ed2ec0f72641c2f2b16022a2e10ca7bccfb98db5ed2ec0f72641c
linuxlinux>= cef401de7be8c4e155c6746bfccf721a4fa5fab9 < 9d3e5fd19fe1063bf607219e8562fbd567b8e8d59d3e5fd19fe1063bf607219e8562fbd567b8e8d5
linuxlinux>= cef401de7be8c4e155c6746bfccf721a4fa5fab9 < 78bf6b6bb19541d19fbda6242e7cfe2c682763c078bf6b6bb19541d19fbda6242e7cfe2c682763c0
linuxlinux>= cef401de7be8c4e155c6746bfccf721a4fa5fab9 < 760e1addc27ba1a7beb4a0a7e8b3e9ec49e7a34e760e1addc27ba1a7beb4a0a7e8b3e9ec49e7a34e
linuxlinux>= cef401de7be8c4e155c6746bfccf721a4fa5fab9 < 3bd9e113d50034db99d7ef69fd8e5242d15e414a3bd9e113d50034db99d7ef69fd8e5242d15e414a
linuxlinux>= cef401de7be8c4e155c6746bfccf721a4fa5fab9 < 3884358a9286b17f389a72b1426fc4547c23c1113884358a9286b17f389a72b1426fc4547c23c111
linuxlinux>= cef401de7be8c4e155c6746bfccf721a4fa5fab9 < f84eca5817390257cef78013d0112481c503b4a3f84eca5817390257cef78013d0112481c503b4a3
linuxlinux_kernel
linuxlinux_kernel
linuxlinux_kernel
linuxlinux_kernel
linuxlinux_kernel
linuxlinux_kernel3.9 – 5.10.257
linuxlinux_kernel>= 5.11 < 5.15.2085.15.208
linuxlinux_kernel>= 5.16 < 6.1.1746.1.174
linuxlinux_kernel>= 6.13 < 6.18.336.18.33
linuxlinux_kernel>= 6.19 < 7.0.107.0.10
linuxlinux_kernel>= 6.2 < 6.6.1416.6.141
linuxlinux_kernel>= 6.7 < 6.12.916.12.91
ubuntulinux
ubuntulinux-aws
ubuntulinux-aws-5.15
ubuntulinux-aws-6.17

CVSS provenance

nvdv3.17.8HIGHCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
vendor_ubuntu8.8HIGH
vendor_redhat7.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.