CVE-2026-46300 | net: skbuff: preserve shared-frag marker during coalescing

Exp

In the Linux kernel, the following vulnerability has been resolved: net: skbuff: preserve shared-frag marker during coalescing skb_try_coalesce() can attach paged frags from @from to @to. If @from has SKBFL_SHARED_FRAG set, the resulting @to skb can contain the same externally-owned or page-cache-backed frags, but the shared-frag marker is currently lost. That breaks the invariant relied on by later in-place writers. In particular, ESP input checks skb_has_shared_frag() before deciding whether an uncloned nonlinear skb can skip skb_cow_data(). If TCP receive coalescing has moved shared frags into an unmarked skb, ESP can see skb_has_shared_frag() as false and decrypt in place over page-cache backed frags. Propagate SKBFL_SHARED_FRAG when skb_try_coalesce() transfers paged frags. The tailroom copy path does not need the marker because it copies bytes into @to's linear data rather than transferring frag descriptors.

Published: 2026-05-23 Last update: 2026-05-30 Assigner: 416baaa9-dc9f-4396-8d5f-8c081fb06d67 Source: 416baaa9-dc9f-4396-8d5f-8c081fb06d67
NVD Status:ModifiedCVE State: published
View at NVD, CVE.org, EUVD

CVE-2026-46300 is rated High Exploit Risk (63.6/100): CVSS High severity, with low exploitation likelihood (EPSS 0.25%). 1 public exploit reference(s) are indexed (Exploit-DB). Public exploits are available—assess exposure, apply mitigations, and prioritize patching.

Risk is dynamic; we continuously reassess and refresh what is shown on this page as upstream context changes.

Public exploit references (Exploit-DB) for CVE-2026-46300

EDB-ID Source Kind Published Link
52591 exploit_db edb 2026-05-29 Exploit-DB ↗

Exploit prediction scoring system (EPSS) score for CVE-2026-46300

EPSS lead: Daily EPSS estimates relative likelihood of exploitation; percentile ranks this CVE among scored vulnerabilities (higher = more severe relative rank).

# Date Old EPSS score New EPSS score Delta (New - Old)
1 2026-05-30 0.01% 0.25% +0.24%
2 2026-05-27 0.07% 0.01% -0.06%
3 2026-05-24 0.07%

Full EPSS history (4 records total)

Common vulnerability scoring system (CVSS) metrics for CVE-2026-46300

CVSS metrics for this CVE.

Base score Version Severity Vector Exploitability Impact Score source
7.8 3.1 HIGH
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H Click to expand
Attack vector (AV:L)
They already need access on the box, or another person has to do something wrong; it’s not a remote drive-by.
Attack complexity (AC:L)
Once they can reach the bug, pulling it off is straightforward—no weird race conditions or rare setup.
Privileges required (PR:L)
A normal user session is enough; they don’t have to be admin.
User interaction (UI:N)
Nobody has to click “OK” or open a trap file; it can work without a victim helping.
Scope (S:U)
Damage stays in the same “trust bubble” as the broken component—no big spill into unrelated systems.
Confidentiality (C:H)
Serious risk that confidential data gets exposed in a big way.
Integrity (I:H)
They could widely tamper with or forge data—trust in the data is badly hurt.
Availability (A:H)
Could take the service down hard or make it unusable for people who depend on it.
 1.8 5.9 416baaa9-dc9f-4396-8d5f-8c081fb06d67
7.8 3.1 HIGH
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H Click to expand
Attack vector (AV:L)
They already need access on the box, or another person has to do something wrong; it’s not a remote drive-by.
Attack complexity (AC:L)
Once they can reach the bug, pulling it off is straightforward—no weird race conditions or rare setup.
Privileges required (PR:L)
A normal user session is enough; they don’t have to be admin.
User interaction (UI:N)
Nobody has to click “OK” or open a trap file; it can work without a victim helping.
Scope (S:U)
Damage stays in the same “trust bubble” as the broken component—no big spill into unrelated systems.
Confidentiality (C:H)
Serious risk that confidential data gets exposed in a big way.
Integrity (I:H)
They could widely tamper with or forge data—trust in the data is badly hurt.
Availability (A:H)
Could take the service down hard or make it unusable for people who depend on it.
 1.8 5.9 [email protected]

Weakness enumeration for CVE-2026-46300

GitHub Security Advisory for CVE-2026-46300

GHSA-47jg-vqrv-5f8v · Severity: high — In the Linux kernel, the following vulnerability has been resolved: net: skbuff: preserve shared...

OS Trackers for CVE-2026-46300

vendor priority summary link
debian not yet assigned CVE-2026-46300 not yet assigned priority: Debian including 2 source packages (linux, linux-6.1), 6 status rows across 5 suites (bookworm, bullseye, forky, sid, trixie): resolved 6. https://security-tracker.debian.org/tracker/CVE-2026-46300
redhat high https://access.redhat.com/security/cve/CVE-2026-46300
suse high CVE-2026-46300 severity important: SUSE including 4 source package names (kernel-default, kernel-default-base, kernel-default-devel, kernel-source), 6 product×package rows across 2 product lines (SUSE Linux Enterprise Server 11 SP4 LTSS EXTREME CORE, SUSE Linux Enterprise Server Teradata 12 SP3): Known Not Affected 6. https://www.suse.com/security/cve/CVE-2026-46300/
ubuntu high CVE-2026-46300 high priority: Ubuntu including 158 source packages (linux, linux-allwinner-5.19, …), 1422 status rows across 9 suites (bionic, focal, jammy, noble, questing, resolute, trusty, upstream, xenial): DNE 1024, ignored 169, released 84, needed 56, not-affected 45, pending 44. https://ubuntu.com/security/CVE-2026-46300

Affected software / configurations for CVE-2026-46300

Vendor Product Version Raw CPE
linux linux_kernel >= 3.9, <= 5.10.257 cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
linux linux_kernel >= 5.11, < 5.15.208 cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
linux linux_kernel >= 5.16, < 6.1.174 cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
linux linux_kernel >= 6.2, < 6.6.141 cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
linux linux_kernel >= 6.7, < 6.12.91 cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
linux linux_kernel >= 6.13, < 6.18.33 cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
linux linux_kernel >= 6.19, < 7.0.10 cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
linux linux_kernel 7.1 cpe:2.3:o:linux:linux_kernel:7.1:rc1:*:*:*:*:*:*
linux linux_kernel 7.1 cpe:2.3:o:linux:linux_kernel:7.1:rc2:*:*:*:*:*:*
linux linux_kernel 7.1 cpe:2.3:o:linux:linux_kernel:7.1:rc3:*:*:*:*:*:*
linux linux_kernel 7.1 cpe:2.3:o:linux:linux_kernel:7.1:rc4:*:*:*:*:*:*

References for CVE-2026-46300

URL Tags
https://git.kernel.org/stable/c/2f2b16022a2e10ca7bccfb98db5ed2ec0f72641c Patch
https://git.kernel.org/stable/c/3599e6b3cc1ada96883d496a50a210d3afbb6987 Patch
https://git.kernel.org/stable/c/3884358a9286b17f389a72b1426fc4547c23c111 Patch
https://git.kernel.org/stable/c/3bd9e113d50034db99d7ef69fd8e5242d15e414a Patch
https://git.kernel.org/stable/c/760e1addc27ba1a7beb4a0a7e8b3e9ec49e7a34e Patch
https://git.kernel.org/stable/c/78bf6b6bb19541d19fbda6242e7cfe2c682763c0 Patch
https://git.kernel.org/stable/c/9d3e5fd19fe1063bf607219e8562fbd567b8e8d5 Patch
https://git.kernel.org/stable/c/f84eca5817390257cef78013d0112481c503b4a3 Patch
http://www.openwall.com/lists/oss-security/2026/05/13/5 Mailing List
http://www.openwall.com/lists/oss-security/2026/05/21/11 Mailing List
http://www.openwall.com/lists/oss-security/2026/05/21/12 Mailing List
http://www.openwall.com/lists/oss-security/2026/05/21/13 Mailing List
cvelogic Threat Intelligence