CVE-2026-46300

Name of the Vulnerable Software and Affected Versions Linux kernel (affected versions not specified)

Description Local privilege escalation is possible in the Linux kernel networking stack, specifically within the XFRM ESP-in-TCP receive path. The issue occurs when the kernel fails to correctly preserve the SKBFL SHARED FRAG flag during the movement of paged fragments between socket buffers in functions such as skb try coalesce(), pskb copy fclone(), skb shift(), skb gro receive(), skb gro receive list(), tcp clone payload(), and skb segment().

This failure creates a desynchronization between fragment metadata and page-cache-backed memory. Consequently, the skb has shared frag() check returns false, allowing the ESP input process to perform in-place decryption directly over shared page-cache pages. An unprivileged local user can exploit this memory write primitive to corrupt read-only file cache entries, such as the /usr/bin/su binary or /etc/passwd, leading to the execution of a root shell.

Recommendations As a temporary mitigation, disable the esp4, esp6, and rxrpc modules by running sudo modprobe -r esp4 esp6 rxrpc and blacklisting them. Restrict unnecessary local shell access. Harden containerized workloads. Increase monitoring for abnormal privilege escalation activity.