CVE-2026-43503

Name of the Vulnerable Software and Affected Versions Linux kernel versions prior to 7.1-rc5

Description A local privilege escalation flaw, known as DirtyClone, exists in the Linux networking stack. The issue occurs because the SKBFL SHARED FRAG flag is not properly propagated through several frag-transfer helpers and functions, including pskb copy fclone(), skb shift(), skb gro receive(), skb gro receive list(), tcp clone payload(), skb segment(), and skb try coalesce().

When these functions move fragment descriptors from a source to a destination socket buffer (skb), they fail to carry over the SKBFL SHARED FRAG marker. This creates a mismatch where the destination skb references externally-owned or page-cache-backed pages but reports that it does not have shared fragments. In-place writers, such as ESP input (esp4.c and esp6.c), rely on the skb has shared frag() function to determine if shared pages must be handled via skb cow data(). Because the marker is missing, an unprivileged user can trigger stray writes to the page cache of a root-owned read-only file, allowing the attacker to corrupt file-backed memory and gain root privileges.

Recommendations Update the Linux kernel to version 7.1-rc5 or later.