PT-2026-42878 · Linux+2 · Linux Kernel+2
Published
2026-05-23
·
Updated
2026-07-10
·
CVE-2026-43503
CVSS v3.1
8.8
High
| Vector | AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
Linux kernel versions 7.1-rc1 through 7.1-rc4
Description
A local privilege escalation issue exists in the Linux networking stack (skbuff component) due to the improper propagation of the
SKBFL SHARED FRAG flag during fragment transfers. Several functions and helpers, including pskb copy fclone(), skb shift(), skb gro receive(), skb gro receive list(), tcp clone payload(), skb segment(), and skb try coalesce(), fail to carry over this marker when moving fragment descriptors. This creates a mismatch where a socket buffer (skb) may reference externally-owned or page-cache-backed pages while reporting that it does not have shared fragments via the skb has shared frag() function.This flaw can be exploited by in-place writers, such as the Encapsulating Security Payload (ESP) input (
esp4.c, esp6.c), which rely on skb has shared frag() to determine if data must be processed through skb cow data(). An unprivileged user can leverage this to write into the page cache of a root-owned read-only file, allowing them to gain root privileges. This attack, known as DirtyClone, can be achieved by mapping a binary like /usr/bin/su into the page cache and using an iptables TEE rule to force the use of pskb copy fclone(), subsequently overwriting the cached binary in memory via AES-CBC decryption.Recommendations
For Linux kernel versions 7.1-rc1 through 7.1-rc4, apply the upstream fix (commit 48f6a5356a33) immediately.
Restrict the use of unprivileged user namespaces to minimize the risk of exploitation.
Exploit
Fix
DoS
LPE
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Linuxmint
Linux Kernel
Ubuntu