PT-2026-42878 · Linux+2 · Linux Kernel+2

Published

2026-05-23

·

Updated

2026-07-10

·

CVE-2026-43503

CVSS v3.1

8.8

High

VectorAV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Name of the Vulnerable Software and Affected Versions Linux kernel versions 7.1-rc1 through 7.1-rc4
Description A local privilege escalation issue exists in the Linux networking stack (skbuff component) due to the improper propagation of the SKBFL SHARED FRAG flag during fragment transfers. Several functions and helpers, including pskb copy fclone(), skb shift(), skb gro receive(), skb gro receive list(), tcp clone payload(), skb segment(), and skb try coalesce(), fail to carry over this marker when moving fragment descriptors. This creates a mismatch where a socket buffer (skb) may reference externally-owned or page-cache-backed pages while reporting that it does not have shared fragments via the skb has shared frag() function.
This flaw can be exploited by in-place writers, such as the Encapsulating Security Payload (ESP) input (esp4.c, esp6.c), which rely on skb has shared frag() to determine if data must be processed through skb cow data(). An unprivileged user can leverage this to write into the page cache of a root-owned read-only file, allowing them to gain root privileges. This attack, known as DirtyClone, can be achieved by mapping a binary like /usr/bin/su into the page cache and using an iptables TEE rule to force the use of pskb copy fclone(), subsequently overwriting the cached binary in memory via AES-CBC decryption.
Recommendations For Linux kernel versions 7.1-rc1 through 7.1-rc4, apply the upstream fix (commit 48f6a5356a33) immediately. Restrict the use of unprivileged user namespaces to minimize the risk of exploitation.

Exploit

Fix

DoS

LPE

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

BDU:2026-08879
CVE-2026-43503
ECHO-E912-6020-E80C
OESA-2026-2496
OESA-2026-2580
OESA-2026-2581
OPENSUSE-SU-2026:10954-1
OPENSUSE-SU-2026:20826-1
RHSA-2026:19540
RHSA-2026:19664
RHSA-2026:19666
RHSA-2026:20051
RHSA-2026:20054
RHSA-2026:20129
RHSA-2026:20299
RHSA-2026:23468
RHSA-2026:23469
RHSA-2026:23470
RHSA-2026:23471
RHSA-2026:24814
RHSA-2026:33486
SUSE-SU-2026:2111-1
SUSE-SU-2026:21834-1
SUSE-SU-2026:21841-1
SUSE-SU-2026:21845-1
SUSE-SU-2026:21860-1
SUSE-SU-2026:21876-1
SUSE-SU-2026:21877-1
SUSE-SU-2026:21916-1
SUSE-SU-2026:21919-1
SUSE-SU-2026:2202-1
SUSE-SU-2026:22108-1
SUSE-SU-2026:22137-1
SUSE-SU-2026:2215-1
SUSE-SU-2026:2216-1
SUSE-SU-2026:2217-1
SUSE-SU-2026:22276-1
SUSE-SU-2026:22277-1
SUSE-SU-2026:22278-1
SUSE-SU-2026:22279-1
SUSE-SU-2026:22280-1
SUSE-SU-2026:22281-1
SUSE-SU-2026:22282-1
SUSE-SU-2026:22283-1
SUSE-SU-2026:22288-1
SUSE-SU-2026:2238-1
SUSE-SU-2026:22383-1
SUSE-SU-2026:22384-1
SUSE-SU-2026:22385-1
SUSE-SU-2026:22386-1
SUSE-SU-2026:22387-1
SUSE-SU-2026:22388-1
SUSE-SU-2026:22389-1
SUSE-SU-2026:22390-1
SUSE-SU-2026:22391-1
SUSE-SU-2026:22396-1
SUSE-SU-2026:22397-1
SUSE-SU-2026:22398-1
SUSE-SU-2026:22399-1
SUSE-SU-2026:22400-1
SUSE-SU-2026:22401-1
SUSE-SU-2026:22402-1
SUSE-SU-2026:22403-1
SUSE-SU-2026:22404-1
SUSE-SU-2026:22405-1
SUSE-SU-2026:22406-1
SUSE-SU-2026:22407-1
SUSE-SU-2026:22408-1
SUSE-SU-2026:22409-1
SUSE-SU-2026:22410-1
SUSE-SU-2026:22411-1
SUSE-SU-2026:22412-1
SUSE-SU-2026:22413-1
SUSE-SU-2026:22414-1
SUSE-SU-2026:22415-1
SUSE-SU-2026:22416-1
SUSE-SU-2026:22417-1
SUSE-SU-2026:22418-1
SUSE-SU-2026:22419-1
SUSE-SU-2026:22420-1
SUSE-SU-2026:22421-1
SUSE-SU-2026:22425-1
SUSE-SU-2026:22426-1
SUSE-SU-2026:22427-1
SUSE-SU-2026:22428-1
SUSE-SU-2026:22433-1
SUSE-SU-2026:22458-1
SUSE-SU-2026:22461-1
SUSE-SU-2026:22462-1
SUSE-SU-2026:22463-1
SUSE-SU-2026:22464-1
SUSE-SU-2026:22465-1
SUSE-SU-2026:22466-1
SUSE-SU-2026:22467-1
SUSE-SU-2026:22468-1
SUSE-SU-2026:22469-1
SUSE-SU-2026:22470-1
SUSE-SU-2026:22471-1
SUSE-SU-2026:22472-1
SUSE-SU-2026:22473-1
SUSE-SU-2026:22474-1
SUSE-SU-2026:22475-1
SUSE-SU-2026:22476-1
SUSE-SU-2026:22478-1
SUSE-SU-2026:22479-1
SUSE-SU-2026:22480-1
SUSE-SU-2026:22481-1
SUSE-SU-2026:22482-1
SUSE-SU-2026:22483-1
SUSE-SU-2026:22484-1
SUSE-SU-2026:22485-1
SUSE-SU-2026:22486-1
SUSE-SU-2026:22487-1
SUSE-SU-2026:22488-1
SUSE-SU-2026:22489-1
SUSE-SU-2026:22490-1
SUSE-SU-2026:22491-1
SUSE-SU-2026:22507-1
SUSE-SU-2026:22508-1
SUSE-SU-2026:22509-1
SUSE-SU-2026:2310-1
SUSE-SU-2026:2450-1
SUSE-SU-2026:2494-1
SUSE-SU-2026:2496-1
SUSE-SU-2026:2500-1
SUSE-SU-2026:2503-1
SUSE-SU-2026:2511-1
SUSE-SU-2026:2518-1
SUSE-SU-2026:2520-1
SUSE-SU-2026:2532-1
SUSE-SU-2026:2549-1
SUSE-SU-2026:2553-1
SUSE-SU-2026:2559-1
SUSE-SU-2026:2567-1
SUSE-SU-2026:2571-1
SUSE-SU-2026:2588-1
SUSE-SU-2026:2592-1
SUSE-SU-2026:2594-1
SUSE-SU-2026:2601-1
SUSE-SU-2026:2603-1
SUSE-SU-2026:2607-1
SUSE-SU-2026:2608-1
SUSE-SU-2026:2610-1
SUSE-SU-2026:2630-1
SUSE-SU-2026:2658-1
USN-8370-1
USN-8371-1
USN-8373-1
USN-8374-1
USN-8388-1
USN-8388-2
USN-8393-1
USN-8426-1
USN-8426-2
USN-8440-1
USN-8461-1
USN-8462-1
USN-8489-1
USN-8497-1
USN-8499-1
USN-8501-1
USN-8528-1
USN-8529-1
USN-8530-1

Affected Products

Linuxmint
Linux Kernel
Ubuntu