[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"repo-stars":3,"vuln-DEBIAN-CVE-2026-43503":6},{"stargazers_count":4,"fetched_at":5},7,"2026-06-15T22:50:23.791Z",{"id":7,"descriptions":8,"cisa":9,"weaknesses":10,"exploits":11,"aliases":12,"duplicate_of":9,"upstream":13,"downstream":16,"duplicates":17,"related":18,"reserved_at":9,"published_at":19,"modified_at":20,"state":9,"summary":21,"references_raw":23,"kevs":30,"epss":9,"epss_history":31,"metrics":32,"affected":39},"DEBIAN-CVE-2026-43503","In the Linux kernel, the following vulnerability has been resolved:  net: skbuff: propagate shared-frag marker through frag-transfer helpers  Two frag-transfer helpers (__pskb_copy_fclone() and skb_shift()) fail to propagate the SKBFL_SHARED_FRAG bit in skb_shinfo()->flags when moving frags from source to destination.  __pskb_copy_fclone() defers the rest of the shinfo metadata to skb_copy_header() after copying frag descriptors, but that helper only carries over gso_{size,segs, type} and never touches skb_shinfo()->flags; skb_shift() moves frag descriptors directly and leaves flags untouched.  As a result, the destination skb keeps a reference to the same externally-owned or page-cache-backed pages while reporting skb_has_shared_frag() as false.  The mismatch is harmful in any in-place writer that uses skb_has_shared_frag() to decide whether shared pages must be detoured through skb_cow_data().  ESP input is one such writer (esp4.c, esp6.c), and a single nft 'dup to \u003Clocal>' rule -- or any other nf_dup_ipv4() / xt_TEE caller -- is enough to land a pskb_copy()'d skb in esp_input() with the marker stripped, letting an unprivileged user write into the page cache of a root-owned read-only file via authencesn-ESN stray writes.  Set SKBFL_SHARED_FRAG on the destination whenever frag descriptors were actually moved from the source.  skb_copy() and skb_copy_expand() share skb_copy_header() too but linearize all paged data into freshly allocated head storage and emerge with nr_frags == 0, so skb_has_shared_frag() returns false on its own; they need no change.  The same omission exists in skb_gro_receive() and skb_gro_receive_list(). The former moves the incoming skb's frag descriptors into the accumulator's last sub-skb via two paths (a direct frag-move loop and the head_frag + memcpy path); the latter chains the incoming skb whole onto p's frag_list.  Downstream skb_segment() reads only skb_shinfo(p)->flags, and skb_segment_list() reuses each sub-skb's shinfo as the nskb -- both p and lp must carry the marker.  The same omission also exists in tcp_clone_payload(), which builds an MTU probe skb by moving frag descriptors from skbs on sk_write_queue into a freshly allocated nskb.  The helper falls into the same family and warrants the same fix for consistency; no TCP TX-side in-place writer is currently known to reach a user page through this gap, but a future consumer depending on the marker would regress silently.  The same omission exists in skb_segment(): the per-iteration flag merge takes only head_skb's flag, and the inner switch that rebinds frag_skb to list_skb on head_skb-frags exhaustion does not fold the new frag_skb's flag into nskb.  Fold frag_skb's flag at both sites so segments drawing frags from frag_list members carry the marker.",null,[],[],[],[14],{"_key":15},"CVE-2026-43503",[],[],[],"2026-05-23T12:17:02.547Z","2026-06-15T09:00:27.325941990Z",{"cisa_kev":22,"cisa_ransomware":22,"cisa_vendor":9,"epss_severity":9,"epss_score":9,"severity":9,"severity_score":9,"severity_version":9,"severity_source":9,"severity_vector":9,"severity_status":9},false,[24],{"url":25,"sources":26,"tags":28},"https://security-tracker.debian.org/tracker/CVE-2026-43503",[27],"osv_debian",[29],"Advisory",[],[],[33],{"source":27,"cvss_v2_0":9,"cvss_v3_0":9,"cvss_v3_1":34,"cvss_v4_0":9},{"baseScore":35,"baseSeverity":9,"vectorString":36,"impactScore":37,"exploitabilityScore":38},8.8,"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",10,5.1,[40,66],{"ecosystem":41,"name":42,"vendor":43,"product":42,"cpe_part":9,"purl_type":44,"purl_namespace":43,"purl_name":42,"source":9,"versions":45},"Debian","linux","debian","deb",[46,50,51,52,53,57,60,63],{"version":47,"is_range":48,"range_type":49,"version_start":9,"version_start_type":9,"version_end":9,"version_end_type":9,"fixed_in":9},"all",true,"ecosystem",{"version":47,"is_range":48,"range_type":49,"version_start":9,"version_start_type":9,"version_end":9,"version_end_type":9,"fixed_in":9},{"version":47,"is_range":48,"range_type":49,"version_start":9,"version_start_type":9,"version_end":9,"version_end_type":9,"fixed_in":9},{"version":47,"is_range":48,"range_type":49,"version_start":9,"version_start_type":9,"version_end":9,"version_end_type":9,"fixed_in":9},{"version":54,"is_range":48,"range_type":49,"version_start":9,"version_start_type":9,"version_end":55,"version_end_type":56,"fixed_in":9},"lt5_10_257_1","5.10.257-1","excluding",{"version":58,"is_range":48,"range_type":49,"version_start":9,"version_start_type":9,"version_end":59,"version_end_type":56,"fixed_in":9},"lt6_1_174_1","6.1.174-1",{"version":61,"is_range":48,"range_type":49,"version_start":9,"version_start_type":9,"version_end":62,"version_end_type":56,"fixed_in":9},"lt6_12_90_1","6.12.90-1",{"version":64,"is_range":48,"range_type":49,"version_start":9,"version_start_type":9,"version_end":65,"version_end_type":56,"fixed_in":9},"lt7_0_9_1","7.0.9-1",{"ecosystem":41,"name":67,"vendor":43,"product":67,"cpe_part":9,"purl_type":44,"purl_namespace":43,"purl_name":67,"source":9,"versions":68},"linux-6.1",[69],{"version":70,"is_range":48,"range_type":49,"version_start":9,"version_start_type":9,"version_end":71,"version_end_type":56,"fixed_in":9},"lt6_1_174_1~deb11u1","6.1.174-1~deb11u1"]