CVE-2026-43503

In the Linux kernel, the following vulnerability has been resolved:

net: skbuff: preserve shared-frag marker during coalescing

skb try coalesce() can attach paged frags from @from to @to. If @from has SKBFL SHARED FRAG set, the resulting @to skb can contain the same externally-owned or page-cache-backed frags, but the shared-frag marker is currently lost.

That breaks the invariant relied on by later in-place writers. In particular, ESP input checks skb has shared frag() before deciding whether an uncloned nonlinear skb can skip skb cow data(). If TCP receive coalescing has moved shared frags into an unmarked skb, ESP can see skb has shared frag() as false and decrypt in place over page-cache backed frags.

Propagate SKBFL SHARED FRAG when skb try coalesce() transfers paged frags. The tailroom copy path does not need the marker because it copies bytes into @to's linear data rather than transferring frag descriptors.