CVE-2026-46300

high

Description

In the Linux kernel, the following vulnerability has been resolved: net: skbuff: preserve shared-frag marker during coalescing skb_try_coalesce() can attach paged frags from @from to @to. If @from has SKBFL_SHARED_FRAG set, the resulting @to skb can contain the same externally-owned or page-cache-backed frags, but the shared-frag marker is currently lost. That breaks the invariant relied on by later in-place writers. In particular, ESP input checks skb_has_shared_frag() before deciding whether an uncloned nonlinear skb can skip skb_cow_data(). If TCP receive coalescing has moved shared frags into an unmarked skb, ESP can see skb_has_shared_frag() as false and decrypt in place over page-cache backed frags. Propagate SKBFL_SHARED_FRAG when skb_try_coalesce() transfers paged frags. The tailroom copy path does not need the marker because it copies bytes into @to's linear data rather than transferring frag descriptors.

From the Tenable Blog

CVE-2026-46300 (Fragnesia): Linux Kernel ESP-in-TCP LPE FAQ | Tenable®
CVE-2026-46300 (Fragnesia): Linux Kernel ESP-in-TCP LPE FAQ | Tenable®

Published: 2026-05-14

CVE-2026-46300 (Fragnesia) is a Linux kernel privilege escalation in the XFRM ESP-in-TCP subsystem. Public PoC, no race condition. Dirty Frag patches do not fix it.

References

https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-46300.json

https://git.kernel.org/stable/c/f84eca5817390257cef78013d0112481c503b4a3

https://git.kernel.org/stable/c/9d3e5fd19fe1063bf607219e8562fbd567b8e8d5

https://git.kernel.org/stable/c/78bf6b6bb19541d19fbda6242e7cfe2c682763c0

https://git.kernel.org/stable/c/760e1addc27ba1a7beb4a0a7e8b3e9ec49e7a34e

https://git.kernel.org/stable/c/3bd9e113d50034db99d7ef69fd8e5242d15e414a

https://git.kernel.org/stable/c/3884358a9286b17f389a72b1426fc4547c23c111

https://git.kernel.org/stable/c/3599e6b3cc1ada96883d496a50a210d3afbb6987

https://git.kernel.org/stable/c/2f2b16022a2e10ca7bccfb98db5ed2ec0f72641c

https://bugzilla.redhat.com/show_bug.cgi?id=2477015

https://access.redhat.com/security/cve/CVE-2026-46300

https://access.redhat.com/errata/RHSA-2026:33486

https://access.redhat.com/errata/RHSA-2026:28887

https://access.redhat.com/errata/RHSA-2026:25044

https://access.redhat.com/errata/RHSA-2026:24814

https://access.redhat.com/errata/RHSA-2026:23471

https://access.redhat.com/errata/RHSA-2026:23470

https://access.redhat.com/errata/RHSA-2026:23469

https://access.redhat.com/errata/RHSA-2026:23468

https://access.redhat.com/errata/RHSA-2026:23245

https://access.redhat.com/errata/RHSA-2026:23240

https://access.redhat.com/errata/RHSA-2026:23233

https://access.redhat.com/errata/RHSA-2026:21702

https://access.redhat.com/errata/RHSA-2026:21695

https://access.redhat.com/errata/RHSA-2026:21690

https://access.redhat.com/errata/RHSA-2026:21656

https://access.redhat.com/errata/RHSA-2026:20593

https://access.redhat.com/errata/RHSA-2026:20299

https://access.redhat.com/errata/RHSA-2026:20130

https://access.redhat.com/errata/RHSA-2026:20129

https://access.redhat.com/errata/RHSA-2026:20087

https://access.redhat.com/errata/RHSA-2026:20054

https://access.redhat.com/errata/RHSA-2026:20051

https://access.redhat.com/errata/RHSA-2026:19875

https://access.redhat.com/errata/RHSA-2026:19711

https://access.redhat.com/errata/RHSA-2026:19705

https://access.redhat.com/errata/RHSA-2026:19666

https://access.redhat.com/errata/RHSA-2026:19664

https://access.redhat.com/errata/RHSA-2026:19569

https://access.redhat.com/errata/RHSA-2026:19568

https://access.redhat.com/errata/RHSA-2026:19540

https://access.redhat.com/errata/RHSA-2026:19521

https://access.redhat.com/errata/RHBA-2026:20032

http://www.openwall.com/lists/oss-security/2026/05/21/13

http://www.openwall.com/lists/oss-security/2026/05/21/12

http://www.openwall.com/lists/oss-security/2026/05/21/11

http://www.openwall.com/lists/oss-security/2026/05/13/5

Details

Source: Mitre, NVD

Published: 2026-05-23

Updated: 2026-07-02

Named Vulnerability: Fragnesia

Risk Information

CVSS v2

Base Score: 6.8

Vector: CVSS2#AV:L/AC:L/Au:S/C:C/I:C/A:C

Severity: Medium

CVSS v3

Base Score: 7.8

Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Severity: High

EPSS

EPSS: 0.00054

Vulnerability Watch

Tenable Research has classified this CVE under the following Vulnerability Watch classification, which includes active and historical (inactive) classifications. You can learn more about these classifications on our blog.

Vulnerability of Interest