HOMEVULNERABILITIESCVE-2026-43503
NONE

CVE-2026-43503

Published: May 23, 2026· Updated: May 26, 2026

EPSS:0.02%probability of exploitation in 30 daysPercentile:7.2th

Official Description

In the Linux kernel, the following vulnerability has been resolved:

net: skbuff: propagate shared-frag marker through frag-transfer helpers

Two frag-transfer helpers (__pskb_copy_fclone() and skb_shift()) fail

to propagate the SKBFL_SHARED_FRAG bit in skb_shinfo()->flags when

moving frags from source to destination. __pskb_copy_fclone() defers

the rest of the shinfo metadata to skb_copy_header() after copying

frag descriptors, but that helper only carries over gso_{size,segs,

type} and never touches skb_shinfo()->flags; skb_shift() moves frag

descriptors directly and leaves flags untouched. As a result, the

destination skb keeps a reference to the same externally-owned or

page-cache-backed pages while reporting skb_has_shared_frag() as

false.

The mismatch is harmful in any in-place writer that uses

skb_has_shared_frag() to decide whether shared pages must be detoured

through skb_cow_data(). ESP input is one such writer (esp4.c,

esp6.c), and a single nft 'dup to <local>' rule -- or any other

nf_dup_ipv4() / xt_TEE caller -- is enough to land a pskb_copy()'d

skb in esp_input() with the marker stripped, letting an unprivileged

user write into the page cache of a root-owned read-only file via

authencesn-ESN stray writes.

Set SKBFL_SHARED_FRAG on the destination whenever frag descriptors

were actually moved from the source. skb_copy() and skb_copy_expand()

share skb_copy_header() too but linearize all paged data into freshly

allocated head storage and emerge with nr_frags == 0, so

skb_has_shared_frag() returns false on its own; they need no change.

The same omission exists in skb_gro_receive() and skb_gro_receive_list().

The former moves the incoming skb's frag descriptors into the

accumulator's last sub-skb via two paths (a direct frag-move loop and

the head_frag + memcpy path); the latter chains the incoming skb whole

onto p's frag_list. Downstream skb_segment() reads only

skb_shinfo(p)->flags, and skb_segment_list() reuses each sub-skb's

shinfo as the nskb -- both p and lp must carry the marker.

The same omission also exists in tcp_clone_payload(), which builds an

MTU probe skb by moving frag descriptors from skbs on sk_write_queue

into a freshly allocated nskb. The helper falls into the same family

and warrants the same fix for consistency; no TCP TX-side in-place

writer is currently known to reach a user page through this gap, but

a future consumer depending on the marker would regress silently.

The same omission exists in skb_segment(): the per-iteration flag

merge takes only head_skb's flag, and the inner switch that rebinds

frag_skb to list_skb on head_skb-frags exhaustion does not fold the

new frag_skb's flag into nskb. Fold frag_skb's flag at both sites

so segments drawing frags from frag_list members carry the marker.

NVD Source

Technical Analysis

CVE-2026-43503 requires local access, meaning attackers must already have a foothold on the target system.

Exploitation requires some privileges, which limits the exposure to scenarios where an attacker has already gained initial access.

Affected Vendors & Products

Mentioned vendors (from description):
Linux
CPE data not yet available in NVD for this CVE.

Exploit & PoC Resources

NO KNOWN EXPLOITNo public exploit confirmed at this time
External links open in a new tab. Always verify in a controlled environment before use.

News & Research Mentioning CVE-2026-43503

New DirtyClone Linux Kernel Flaw Lets Local Users Gain Root via Cloned Packets
The Hacker News· Jun 26, 2026

DirtyClone is a new Linux kernel privilege escalation in the DirtyFrag family. JFrog Security Research published a working exploit walkthrough for the flaw on June 25, the first public demonstration for this variant. Tracked as CVE-2026-43503 (CVSS 8.8), it lets a local user corrupt file-backed memory through a cloned network packet and gain root. The patch landed in [xlite_meta score:50 src:The Hacker News xlite_fp:38843c6149e4e6186a1f378a6795c98b0f52a11bba96a345d08045b650d83722]

All References (8)

Quick Facts

CVE IDCVE-2026-43503
SeverityNONE
CISA KEVNo
EPSS (30d)0.02%
PublishedMay 23, 2026

Recommended Actions

  • Apply vendor patches immediately
  • Monitor CVE-2026-43503 in threat intel feeds
  • Review IDS/IPS signatures for exploitation attempts
Data sourced from NVD (NIST), CISA KEV, and EPSS (FIRST). Analysis generated by CTIWATCH.COM. CVE data is provided under the NVD usage policy.