CVE-2026-46300

Name of the Vulnerable Software and Affected Versions Linux kernel versions prior to May 13, 2026

Description A local privilege escalation issue exists in the Linux kernel networking stack, specifically within the XFRM ESP-in-TCP subsystem. The problem stems from a logical error in several functions, including skb try coalesce(), pskb copy fclone(), skb shift(), skb gro receive(), skb gro receive list(), tcp clone payload(), and skb segment(), which fail to correctly propagate the SKBFL SHARED FRAG flag when moving paged fragments between socket buffers. This flag is used to identify fragments that are externally owned or backed by the page cache.

When this marker is lost, the system may incorrectly report skb has shared frag() as false. This allows in-place writers, such as ESP input (esp4.c, esp6.c), to skip the skb cow data() function and perform decryption directly over shared page-cache pages. An unprivileged local user can exploit this to achieve arbitrary byte writes into the kernel page cache of read-only files, such as /usr/bin/su or /etc/passwd, without requiring a race condition. This enables the attacker to corrupt protected system binaries in memory and escalate privileges to root. A variant of this issue also exists where skb segment() fails to merge flags from the frag list members, allowing a similar bypass of the skip cow() check inside esp input().

Recommendations Update the Linux kernel to a version released after May 13, 2026. As a temporary mitigation, disable the esp4, esp6, and rxrpc modules by running sudo modprobe -r esp4 esp6 rxrpc and blacklisting them.