CVE-2026-46300

Advisory lineage Upstream: 0 Downstream: 44

Downstream

DEBIAN-CVE-2026-46300 MGASA-2026-0174 MGASA-2026-0177 OPENSUSE-SU-2026:10954-1 RHBA-2026:20032 RHSA-2026:19521

Modified

Published: 23 May 2026, 11:44

Last modified:14 Jun 2026, 18:07

Vulnerability Summary

Overall Risk (default)

medium

42/100

CVSS Score

7.8 HIGH

v3.1 (nvd)

EPSS Score

1.58% LOW

2% probability +1.19%

KEV

Not listed

Ransomware

No reports

Public exploits

1 found

Dark Web

Not detected

Timeline

23 May 2026, 11:44

Published

Vulnerability first disclosed

14 Jun 2026, 18:07

Last Modified

Vulnerability information updated

Description

In the Linux kernel, the following vulnerability has been resolved: net: skbuff: preserve shared-frag marker during coalescing skb_try_coalesce() can attach paged frags from @from to @to. If @from has SKBFL_SHARED_FRAG set, the resulting @to skb can contain the same externally-owned or page-cache-backed frags, but the shared-frag marker is currently lost. That breaks the invariant relied on by later in-place writers. In particular, ESP input checks skb_has_shared_frag() before deciding whether an uncloned nonlinear skb can skip skb_cow_data(). If TCP receive coalescing has moved shared frags into an unmarked skb, ESP can see skb_has_shared_frag() as false and decrypt in place over page-cache backed frags. Propagate SKBFL_SHARED_FRAG when skb_try_coalesce() transfers paged frags. The tailroom copy path does not need the marker because it copies bytes into @to's linear data rather than transferring frag descriptors.

CVSS Metrics

v3.1•HIGH•Score: 7.8CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS Trends

Current EPSS score: 1.58%• Percentile: 72%

Techniques & Countermeasures

CWE-787•Out-of-bounds Write
The product writes data past the end, or before the beginning, of the intended buffer.

Affected Systems

linux•linux
≥ cef401de7be8c4e155c6746bfccf721a4fa5fab9, < fbeab9555564a1b98e8582cd106dfe46c4606991 | ≥ cef401de7be8c4e155c6746bfccf721a4fa5fab9, < 179f1852bdedc300e373e807cc102cd81feff196 | ≥ cef401de7be8c4e155c6746bfccf721a4fa5fab9, < 12401fcfb01f53ccc63ab0a3246570fe8f3105ee | ≥ cef401de7be8c4e155c6746bfccf721a4fa5fab9, < 989214c66884d70716d83dc1d0bf5e16287bf349 | ≥ cef401de7be8c4e155c6746bfccf721a4fa5fab9, < fc6eb39c55e97df2f94ad974b8a5bbcd019da2c8 | ≥ cef401de7be8c4e155c6746bfccf721a4fa5fab9, < ff375cc75f9167168db38e0464a482d5fbc8d81d | ≥ cef401de7be8c4e155c6746bfccf721a4fa5fab9, < 9bc9d6d6967a2239aa57af2aa53554eddd640d20 | ≥ cef401de7be8c4e155c6746bfccf721a4fa5fab9, < 3599e6b3cc1ada96883d496a50a210d3afbb6987 | ≥ cef401de7be8c4e155c6746bfccf721a4fa5fab9, < 2f2b16022a2e10ca7bccfb98db5ed2ec0f72641c | ≥ cef401de7be8c4e155c6746bfccf721a4fa5fab9, < 9d3e5fd19fe1063bf607219e8562fbd567b8e8d5 | ≥ cef401de7be8c4e155c6746bfccf721a4fa5fab9, < 78bf6b6bb19541d19fbda6242e7cfe2c682763c0 | ≥ cef401de7be8c4e155c6746bfccf721a4fa5fab9, < 760e1addc27ba1a7beb4a0a7e8b3e9ec49e7a34e | ≥ cef401de7be8c4e155c6746bfccf721a4fa5fab9, < 3bd9e113d50034db99d7ef69fd8e5242d15e414a | ≥ cef401de7be8c4e155c6746bfccf721a4fa5fab9, < 3884358a9286b17f389a72b1426fc4547c23c111 | ≥ cef401de7be8c4e155c6746bfccf721a4fa5fab9, < f84eca5817390257cef78013d0112481c503b4a3 | 3.9
linux•linux_kernel
≥ 3.9, ≤ 5.10.257 | ≥ 5.11, < 5.15.208 | ≥ 5.16, < 6.1.174 | ≥ 6.2, < 6.6.141 | ≥ 6.7, < 6.12.91 | ≥ 6.13, < 6.18.33 | ≥ 6.19, < 7.0.10 | 7.1:rc1 | 7.1:rc2 | 7.1:rc3 | 7.1:rc4