CVE-2026-43503

HIGHPre-NVD 8.88.8
EchelonGraph scoreMEDIUM confidence

Score 8.8 from GitHub Security Advisory (severity: HIGH) published 2026-05-26. a secondary CVSS source baseline 8.8; sources differ by 0.0.

Triggered by: GitHub Security Advisory CVSS
Sources: epss, ghsa, secondary
Elevated
8.8
EchelonGraph verdictPlan a fixSerious severity, but no confirmed exploitation yet.
  • High severity, but no confirmed exploitation yet
CISA-KEV: Not listedEPSS: 0%CVSS: 8.8Exploit: NoneExposed: 0

A fix is available — apply it.

In the Linux kernel, the following vulnerability has been resolved:

net: skbuff: propagate shared-frag marker through frag-transfer helpers

Two frag-transfer helpers (__pskb_copy_fclone() and skb_shift()) fail to propagate the SKBFL_SHARED_FRAG bit in skb_shinfo()->flags when moving frags from source to destination. __pskb_copy_fclone() defers the rest of the shinfo metadata to skb_copy_header() after copying frag descriptors, but that helper only carries over gso_{size,segs, type} and never touches skb_shinfo()->flags; skb_shift() moves frag descriptors directly and leaves flags untouched. As a result, the destination skb keeps a reference to the same externally-owned or page-cache-backed pages while reporting skb_has_shared_frag() as false.

The mismatch is harmful in any in-place writer that uses skb_has_shared_frag() to decide whether shared pages must be detoured through skb_cow_data(). ESP input is one such writer (esp4.c, esp6.c), and a single nft 'dup to ' rule -- or any other nf_dup_ipv4() / xt_TEE caller -- is enough to land a pskb_copy()'d skb in esp_input() with the marker stripped, letting an unprivileged user write into the page cache of a root-owned read-only file via authencesn-ESN stray writes.

Set SKBFL_SHARED_FRAG on the destination whenever frag descriptors were actually moved from the source. skb_copy() and skb_copy_expand() share skb_copy_header() too but linearize all paged data into freshly allocated head storage and emerge with nr_frags == 0, so skb_has_shared_frag() returns false on its own; they need no change.

The same omission exists in skb_gro_receive() and skb_gro_receive_list(). The former moves the incoming skb's frag descriptors into the accumulator's last sub-skb via two paths (a direct frag-move loop and the head_frag + memcpy path); the latter chains the incoming skb whole onto p's frag_list. Downstream skb_segment() reads only skb_shinfo(p)->flags, and skb_segment_list() reuses each sub-skb's shinfo as the nskb -- both p and lp must carry the marker.

The same omission also exists in tcp_clone_payload(), which builds an MTU probe skb by moving frag descriptors from skbs on sk_write_queue into a freshly allocated nskb. The helper falls into the same family and warrants the same fix for consistency; no TCP TX-side in-place writer is currently known to reach a user page through this gap, but a future consumer depending on the marker would regress silently.

The same omission exists in skb_segment(): the per-iteration flag merge takes only head_skb's flag, and the inner switch that rebinds frag_skb to list_skb on head_skb-frags exhaustion does not fold the new frag_skb's flag into nskb. Fold frag_skb's flag at both sites so segments drawing frags from frag_list members carry the marker.

CVSS v3
8.8
EG Score
8.8(medium)
EPSS
3.3%
KEV
Not listed

Published

May 23, 2026

Last Modified

July 15, 2026

Advisory Details (8)

Auto-updated Jun 2, 2026
No patch confirmed yet.
generic

net: skbuff: propagate shared-frag marker through frag-transfer helpers - kernel/git/stable/linux.git - Linux kernel stable tree

https://git.kernel.org/stable/c/ff375cc75f9167168db38e0464a482d5fbc8d81d
generic

net: skbuff: propagate shared-frag marker through frag-transfer helpers - kernel/git/stable/linux.git - Linux kernel stable tree

https://git.kernel.org/stable/c/fc6eb39c55e97df2f94ad974b8a5bbcd019da2c8
generic

net: skbuff: propagate shared-frag marker through frag-transfer helpers - kernel/git/stable/linux.git - Linux kernel stable tree

https://git.kernel.org/stable/c/fbeab9555564a1b98e8582cd106dfe46c4606991
generic

net: skbuff: propagate shared-frag marker through frag-transfer helpers - kernel/git/stable/linux.git - Linux kernel stable tree

https://git.kernel.org/stable/c/9bc9d6d6967a2239aa57af2aa53554eddd640d20
generic

net: skbuff: propagate shared-frag marker through frag-transfer helpers - kernel/git/stable/linux.git - Linux kernel stable tree

https://git.kernel.org/stable/c/989214c66884d70716d83dc1d0bf5e16287bf349
generic

net: skbuff: propagate shared-frag marker through frag-transfer helpers - kernel/git/stable/linux.git - Linux kernel stable tree

https://git.kernel.org/stable/c/48f6a5356a33dd78e7144ae1faef95ffc990aae0
generic

net: skbuff: propagate shared-frag marker through frag-transfer helpers - kernel/git/stable/linux.git - Linux kernel stable tree

https://git.kernel.org/stable/c/179f1852bdedc300e373e807cc102cd81feff196
generic

net: skbuff: propagate shared-frag marker through frag-transfer helpers - kernel/git/stable/linux.git - Linux kernel stable tree

https://git.kernel.org/stable/c/12401fcfb01f53ccc63ab0a3246570fe8f3105ee

Patch Availability(12)

Patches are aggregated from vendor advisories (Red Hat, Microsoft, Cisco, GitHub) and package ecosystems (OSV, GHSA). Multiple rows for the same upstream release have been deduplicated.

Weakness Classification(1)

MITRE Common Weakness Enumeration — the root-cause categories this CVE belongs to.

Additional Vendor Advisories

(12)

Data Freshness Timeline

(refreshed 7× in last 7d / 68× in last 30d)

Each row is a source pipeline that fetched or updated this CVE on that date, with what changed. For example, "NVD update" means NVD published or revised its analysis for this CVE; "MITRE cvelistV5" means we ingested or refreshed it from the CNA feed. Most recent first.

Showing the most recent 100 of 184 total refreshes for this CVE.

  1. 2026-07-15 16:57 UTCEPSS rescore
  2. 2026-07-15 02:00 UTCEPSS rescore
  3. 2026-07-13 22:30 UTCEPSS rescore
  4. 2026-07-13 06:13 UTCEPSS rescore
  5. 2026-07-12 05:46 UTCEPSS rescore
  6. 2026-07-11 08:27 UTCEPSS rescore
  7. 2026-07-09 19:10 UTCEPSS rescore
  8. 2026-07-08 15:16 UTCEPSS rescore
  9. 2026-07-07 13:46 UTCEPSS rescore
  10. 2026-07-06 02:23 UTCEPSS rescore
  11. 2026-07-05 02:30 UTCEPSS rescore
  12. 2026-07-04 06:31 UTCEPSS rescore
  13. 2026-07-01 15:07 UTCEPSS rescore
  14. 2026-06-30 23:22 UTCEPSS rescore
  15. 2026-06-29 16:30 UTCEG score recompute
  16. 2026-06-29 16:30 UTCVendor advisory
  17. 2026-06-29 16:30 UTCGHSA enrichment
  18. 2026-06-29 14:06 UTCEPSS rescore
  19. 2026-06-29 02:53 UTCEG score recompute
  20. 2026-06-29 02:53 UTCVendor advisory
  21. 2026-06-29 02:53 UTCGHSA enrichment
  22. 2026-06-28 14:07 UTCEPSS rescore
  23. 2026-06-28 09:16 UTCEG score recompute
  24. 2026-06-28 09:16 UTCVendor advisory
  25. 2026-06-28 09:15 UTCGHSA enrichment
Show 75 more
  1. 2026-06-28 04:56 UTCEPSS rescore
  2. 2026-06-27 20:33 UTCEG score recompute
  3. 2026-06-27 20:33 UTCVendor advisory
  4. 2026-06-27 20:33 UTCGHSA enrichment
  5. 2026-06-27 07:49 UTCEG score recompute
  6. 2026-06-27 07:49 UTCVendor advisory
  7. 2026-06-27 07:49 UTCGHSA enrichment
  8. 2026-06-27 03:08 UTCEPSS rescore
  9. 2026-06-26 19:06 UTCEG score recompute
  10. 2026-06-26 19:06 UTCVendor advisory
  11. 2026-06-26 19:06 UTCGHSA enrichment
  12. 2026-06-26 03:10 UTCEG score recompute
  13. 2026-06-26 03:10 UTCVendor advisory
  14. 2026-06-26 03:09 UTCGHSA enrichment
  15. 2026-06-25 13:50 UTCEG score recompute
  16. 2026-06-25 13:50 UTCVendor advisory
  17. 2026-06-25 13:50 UTCGHSA enrichment
  18. 2026-06-25 13:49 UTCEPSS rescore
  19. 2026-06-25 13:49 UTCEPSS rescore
  20. 2026-06-24 14:05 UTCEPSS rescore
  21. 2026-06-23 21:33 UTCEPSS rescore
  22. 2026-06-22 14:25 UTCEPSS rescore
  23. 2026-06-22 14:25 UTCEPSS rescore
  24. 2026-06-21 14:56 UTCEPSS rescore
  25. 2026-06-21 14:56 UTCEPSS rescore
  26. 2026-06-21 01:59 UTCEPSS rescore
  27. 2026-06-19 19:25 UTCEPSS rescore
  28. 2026-06-18 17:52 UTCEPSS rescore
  29. 2026-06-18 17:52 UTCEPSS rescore
  30. 2026-06-17 22:43 UTCEG score recompute
  31. 2026-06-17 22:43 UTCVendor advisory
  32. 2026-06-17 22:42 UTCGHSA enrichment
  33. 2026-06-17 17:53 UTCEPSS rescore
  34. 2026-06-17 10:00 UTCEG score recompute
  35. 2026-06-17 10:00 UTCVendor advisory
  36. 2026-06-17 10:00 UTCGHSA enrichment
  37. 2026-06-16 19:20 UTCEG score recompute
  38. 2026-06-16 19:20 UTCVendor advisory
  39. 2026-06-16 19:19 UTCGHSA enrichment
  40. 2026-06-16 17:52 UTCEPSS rescore
  41. 2026-06-16 03:34 UTCEG score recompute
  42. 2026-06-16 03:34 UTCVendor advisory
  43. 2026-06-16 03:34 UTCGHSA enrichment
  44. 2026-06-15 17:49 UTCEPSS rescore
  45. 2026-06-15 14:52 UTCEG score recompute
  46. 2026-06-15 14:52 UTCVendor advisory
  47. 2026-06-15 14:51 UTCGHSA enrichment
  48. 2026-06-14 23:14 UTCEG score recompute
  49. 2026-06-14 23:14 UTCVendor advisory
  50. 2026-06-14 23:13 UTCGHSA enrichment
  51. 2026-06-14 10:32 UTCEG score recompute
  52. 2026-06-14 10:32 UTCVendor advisory
  53. 2026-06-14 10:31 UTCGHSA enrichment
  54. 2026-06-13 23:00 UTCEPSS rescore
  55. 2026-06-13 21:47 UTCEG score recompute
  56. 2026-06-13 21:47 UTCVendor advisory
  57. 2026-06-13 21:47 UTCGHSA enrichment
  58. 2026-06-13 06:52 UTCEG score recompute
  59. 2026-06-13 06:52 UTCVendor advisory
  60. 2026-06-13 06:52 UTCGHSA enrichment
  61. 2026-06-12 23:12 UTCEPSS rescore
  62. 2026-06-12 23:12 UTCEPSS rescore
  63. 2026-06-12 18:10 UTCEG score recompute
  64. 2026-06-12 18:10 UTCVendor advisory
  65. 2026-06-12 18:10 UTCGHSA enrichment
  66. 2026-06-12 05:25 UTCEG score recompute
  67. 2026-06-12 05:25 UTCVendor advisory
  68. 2026-06-12 05:25 UTCGHSA enrichment
  69. 2026-06-11 16:42 UTCEG score recompute
  70. 2026-06-11 16:42 UTCVendor advisory
  71. 2026-06-11 16:42 UTCGHSA enrichment
  72. 2026-06-11 14:00 UTCEPSS rescore
  73. 2026-06-11 03:50 UTCEG score recompute
  74. 2026-06-11 03:50 UTCVendor advisory
  75. 2026-06-11 03:50 UTCGHSA enrichment

Publicly available exploits

(6 references)

Working exploit code is in the public domain (6 GitHub PoCs). Defenders should treat patch urgency accordingly — public PoCs typically lead to mass-exploitation within 24-72 hours.

  • GitHub PoCentra1337/DirtyClone
    First seen Jun 29, 2026

    Python Proof of Concept for DirtyClone (CVE-2026-43503) - Linux kernel LPE via page-cache corruption

    Open source ↗
  • GitHub PoCgl1tch0x1/DirtyClone
    First seen Jun 28, 2026

    DirtyClone - local privilege escalation (LPE) proof-of-concept targeting a kernel/XFRM-related vulnerability described in the source as CVE-2026-43503

    Open source ↗
  • GitHub PoCdouglasmun/pagecache-lpe-containment-kit
    First seen Jun 27, 2026

    Educational, defensive kit for two Linux page-cache-corruption LPEs (DirtyClone CVE-2026-43503, pedit COW CVE-2026-46331): hardening, detection, verification, seccomp + validation harness. Detection and prevention only — no exploit code. TLP:CLEAR.

    Open source ↗
  • GitHub PoCmooder1/dirtyclone-CVE-2026-43503
    First seen Jun 26, 2026
    Open source ↗
  • GitHub PoCaexdyhaxor/CVE-2026-43503-DirtyClone
    First seen Jun 26, 2026
    Open source ↗
  • GitHub PoC0xBlackash/CVE-2026-43503
    First seen Jun 25, 2026

    CVE-2026-43503

    Open source ↗

Frequently asked(5)

What is CVE-2026-43503?
CVE-2026-43503 is a high vulnerability published on May 23, 2026. In the Linux kernel, the following vulnerability has been resolved: net: skbuff: propagate shared-frag marker through frag-transfer helpers Two frag-transfer helpers (pskbcopyfclone() and skb_shift()) fail to propagate the SKBFLSHAREDFRAG bit in skb_shinfo()->flags when moving frags from source to…
When was CVE-2026-43503 disclosed?
CVE-2026-43503 was first published in the National Vulnerability Database on May 23, 2026, with the most recent update on July 15, 2026. EchelonGraph re-ingests CVE updates from NVD on a 2-hour cycle, so this page reflects the latest published state.
Is CVE-2026-43503 actively exploited?
CVE-2026-43503 is not currently on CISA's Known Exploited Vulnerabilities catalog. FIRST EPSS estimates a 3.3% percentile likelihood of exploitation in the next 30 days — higher percentiles indicate greater predicted risk.
What is the CVSS score of CVE-2026-43503?
CVE-2026-43503 has a CVSS v3 base score of 8.8 (NVD).
How do I remediate CVE-2026-43503?
Patch to the fixed version published by the affected vendor. Where vendor advisories exist for CVE-2026-43503, EchelonGraph cross-links them in the Vendor Advisories panel below — those typically contain the canonical remediation steps, fixed version numbers, and any vendor-specific mitigations.

Dependency Blast Radius

Explore the affected products and dependency analysis for CVE-2026-43503

Explore →

Is Your Infrastructure Affected by CVE-2026-43503?

EchelonGraph automatically scans your cloud infrastructure and maps CVE exposure using blast radius analysis.