Skip to main content

Linux Kernel CVE-2026-43503

| EUVDEUVD-2026-31536 HIGH
Improper Control of a Resource Through its Lifetime (CWE-664)
2026-05-23 Linux GHSA-494p-q444-9xf7
8.8
CVSS 3.1 · Vendor: Linux
Share

Severity by source

Vendor (Linux) PRIMARY
8.8 HIGH
AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
SUSE
HIGH
qualitative
Red Hat
7.0 HIGH
qualitative

Primary rating from Vendor (Linux).

CVSS VectorVendor: Linux

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

5
Analysis Generated
May 30, 2026 - 11:22 vuln.today
CVSS changed
May 30, 2026 - 11:22 NVD
8.8 (HIGH)
Patch available
May 26, 2026 - 14:16 EUVD
CVE Published
May 23, 2026 - 11:44 nvd
UNKNOWN (no severity yet)
CVE Published
May 23, 2026 - 11:44 nvd
HIGH 8.8

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

net: skbuff: preserve shared-frag marker during coalescing

skb_try_coalesce() can attach paged frags from @from to @to. If @from has SKBFL_SHARED_FRAG set, the resulting @to skb can contain the same externally-owned or page-cache-backed frags, but the shared-frag marker is currently lost.

That breaks the invariant relied on by later in-place writers. In particular, ESP input checks skb_has_shared_frag() before deciding whether an uncloned nonlinear skb can skip skb_cow_data(). If TCP receive coalescing has moved shared frags into an unmarked skb, ESP can see skb_has_shared_frag() as false and decrypt in place over page-cache backed frags.

Propagate SKBFL_SHARED_FRAG when skb_try_coalesce() transfers paged frags. The tailroom copy path does not need the marker because it copies bytes into @to's linear data rather than transferring frag descriptors.

AnalysisAI

Memory corruption and potential information disclosure in the Linux kernel networking stack (skbuff) occurs because skb_try_coalesce() fails to propagate the SKBFL_SHARED_FRAG marker when transferring paged fragments between socket buffers. The flaw breaks an invariant relied upon by IPsec ESP input processing, which may then decrypt data in-place over page-cache-backed fragments belonging to other contexts. No public exploit identified at time of analysis, EPSS sits at 0.02%, and the issue is patched across multiple stable trees.

Technical ContextAI

The bug lives in net/core/skbuff.c, specifically the skb_try_coalesce() helper used by TCP receive coalescing to merge adjacent socket buffers and reduce per-packet overhead. The SKBFL_SHARED_FRAG flag indicates that a paged fragment is externally owned (e.g., backed by the page cache via sendfile/MSG_ZEROCOPY), and downstream code uses skb_has_shared_frag() to decide whether the buffer must be copied via skb_cow_data() before in-place mutation. When coalesce moved frag descriptors from a SHARED_FRAG-marked source skb into an unmarked destination, the marker was dropped, causing ESP input on IPsec-protected TCP flows to perform in-place decryption over page-cache pages it does not own - corrupting those pages and leaking plaintext into file-backed memory. The CPE entries (cpe:2.3:a:linux:linux:*) cover the upstream kernel tree from 3.9 forward where skb_try_coalesce exists. No CWE is assigned, but the defect maps cleanly to CWE-665 (Improper Initialization) or CWE-471 (Modification of Assumed-Immutable Data).

RemediationAI

Vendor-released patches are available across all maintained stable branches - upgrade to Linux 5.10.257, 5.15.208, 6.1.174, 6.6.141, 6.12.91, 6.18.33, 7.0.10, or mainline 7.1-rc5 (or any later release on the same series), or apply the corresponding stable commits listed at git.kernel.org/stable (e.g., 3599e6b3cc1a, 2f2b16022a2e, 9d3e5fd19fe1, 78bf6b6bb195, 760e1addc27b, 3bd9e113d500, 3884358a9286, fbeab9555564, 179f1852bdedc, 12401fcfb01f, 989214c66884, fc6eb39c55e9, ff375cc75f91, 9bc9d6d6967a). Distribution users should track their vendor's CVE-2026-43503 advisory and install the matching kernel package; reboot is required for kernel updates unless livepatch coverage is offered by the distribution. As a compensating control until patching, sites that do not require IPsec on receiving hosts can unload or disable the esp4/esp6 modules (modprobe -r esp4 esp6) which removes the vulnerable in-place decryption path at the cost of breaking any tunneled or transport-mode IPsec traffic; sites that do require IPsec can reduce exposure by avoiding sendfile/MSG_ZEROCOPY producers on the same hosts, though this is a partial mitigation and may regress throughput for file-serving workloads.

Vendor StatusVendor

SUSE

Severity: High
Product Status
Container suse/sl-micro/6.0/base-os-container:2.1.3-7.145 Container suse/sl-micro/6.1/base-os-container:2.2.1-5.132 Affected
Container suse/sl-micro/6.0/kvm-os-container:2.1.3-6.162 Container suse/sl-micro/6.1/kvm-os-container:2.2.1-5.132 Affected
Container suse/sl-micro/6.0/rt-os-container:2.1.3-7.176 Container suse/sl-micro/6.1/rt-os-container:2.2.1-5.125 Affected
Image SLES-Azure-Basic Image SLES-EC2 Image SLES-Hardened-BYOS-Azure Image SLES-SAPCAL-Azure Affected
SUSE Linux Enterprise Micro 5.3 Fixed

Share

CVE-2026-43503 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy