7.8 CVE-2026-46300

Enriched by CISA Patch Exploit
 

In the Linux kernel, the following vulnerability has been resolved: net: skbuff: preserve shared-frag marker during coalescing skb_try_coalesce() can attach paged frags from @from to @to. If @from has SKBFL_SHARED_FRAG set, the resulting @to skb can contain the same externally-owned or page-cache-backed frags, but the shared-frag marker is currently lost. That breaks the invariant relied on by later in-place writers. In particular, ESP input checks skb_has_shared_frag() before deciding whether an uncloned nonlinear skb can skip skb_cow_data(). If TCP receive coalescing has moved shared frags into an unmarked skb, ESP can see skb_has_shared_frag() as false and decrypt in place over page-cache backed frags. Propagate SKBFL_SHARED_FRAG when skb_try_coalesce() transfers paged frags. The tailroom copy path does not need the marker because it copies bytes into @to's linear data rather than transferring frag descriptors.
https://nvd.nist.gov/vuln/detail/CVE-2026-46300

Categories

CWE-787 : Out-of-bounds Write
The product writes data past the end, or before the beginning, of the intended buffer. At the point when the product writes data to an invalid location, it is likely that a separate weakness already occurred earlier. For example, the product might alter an index, perform incorrect pointer arithmetic, initialize or release memory incorrectly, etc., thus referencing a memory location outside the buffer. Often used to describe the consequences of writing to memory outside the bounds of a buffer, or to memory that is otherwise invalid. This weakness can be detected using dynamic tools and techniques that interact with the software using large test suites with many diverse inputs, such as fuzz testing (fuzzing), robustness testing, and fault injection. The software's operation may slow down, but it should not become unstable, crash, or generate incorrect results. Use tools that are integrated duringcompilation to insert runtime error-checking mechanismsrelated to memory safety errors, such as AddressSanitizer(ASan) for C/C++ [REF-1518]. Replace unbounded copy functions with analogous functions that support length arguments, such as strcpy with strncpy. Create these if they are not available. Font rendering library does not properlyhandle assigning a signed short value to an unsignedlong (CWE-195), leading to an integer wraparound(CWE-190), causing too small of a buffer (CWE-131),leading to an out-of-bounds write(CWE-787). The reference implementation code for a Trusted Platform Module does not implement length checks on data, allowing for an attacker to write 2 bytes past the end of a buffer. Chain: insufficient input validation (CWE-20) in browser allows heap corruption (CWE-787), as exploited in the wild per CISA KEV. GPU kernel driver allows memory corruption because a user can obtain read/write access to read-only pages, as exploited in the wild per CISA KEV. Chain: integer truncation (CWE-197) causes small buffer allocation (CWE-131) leading to out-of-bounds write (CWE-787) in kernel pool, as exploited in the wild per CISA KEV. Out-of-bounds write in kernel-mode driver, as exploited in the wild per CISA KEV. Escape from browser sandbox using out-of-bounds write due to incorrect bounds check, as exploited in the wild per CISA KEV. Memory corruption in web browser scripting engine, as exploited in the wild per CISA KEV. chain: mobile phone Bluetooth implementation does not include offset when calculating packet length (CWE-682), leading to out-of-bounds write (CWE-787) Chain: compiler optimization (CWE-733) removes or modifies code used to detect integer overflow (CWE-190), allowing out-of-bounds write (CWE-787). malformed inputs cause accesses of uninitialized or previously-deleted objects, leading to memory corruption chain: -1 value from a function call was intended to indicate an error, but is used as an array index instead. Unchecked length of SSLv2 challenge value leads to buffer underflow. Buffer underflow from a small size value with a large buffer (length parameter inconsistency, CWE-130) Chain: integer signedness error (CWE-195) passes signed comparison, leading to heap overflow (CWE-122) Classic stack-based buffer overflow in media player using a long entry in a playlist Heap-based buffer overflow in media player using a long entry in a playlist

References


 

AFFECTED (from MITRE)

Vendor Product Versions
Linux Linux
  • cef401de7be8c4e155c6746bfccf721a4fa5fab9 < 3599e6b3cc1ada96883d496a50a210d3afbb6987 [affected]
  • cef401de7be8c4e155c6746bfccf721a4fa5fab9 < 2f2b16022a2e10ca7bccfb98db5ed2ec0f72641c [affected]
  • cef401de7be8c4e155c6746bfccf721a4fa5fab9 < 9d3e5fd19fe1063bf607219e8562fbd567b8e8d5 [affected]
  • cef401de7be8c4e155c6746bfccf721a4fa5fab9 < 78bf6b6bb19541d19fbda6242e7cfe2c682763c0 [affected]
  • cef401de7be8c4e155c6746bfccf721a4fa5fab9 < 760e1addc27ba1a7beb4a0a7e8b3e9ec49e7a34e [affected]
  • cef401de7be8c4e155c6746bfccf721a4fa5fab9 < 3bd9e113d50034db99d7ef69fd8e5242d15e414a [affected]
  • cef401de7be8c4e155c6746bfccf721a4fa5fab9 < 3884358a9286b17f389a72b1426fc4547c23c111 [affected]
  • cef401de7be8c4e155c6746bfccf721a4fa5fab9 < f84eca5817390257cef78013d0112481c503b4a3 [affected]
Linux Linux
  • 3.9 [affected]
  • < 3.9 [unaffected]
  • 5.10.257 ≤ 5.10.* [unaffected]
  • 5.15.208 ≤ 5.15.* [unaffected]
  • 6.1.174 ≤ 6.1.* [unaffected]
  • 6.6.141 ≤ 6.6.* [unaffected]
  • 6.12.91 ≤ 6.12.* [unaffected]
  • 6.18.33 ≤ 6.18.* [unaffected]
  • 7.0.10 ≤ 7.0.* [unaffected]
  • 7.1 ≤ * [unaffected]
© 2022 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation.

CPE

cpe start end
Configuration 1
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* >= 3.9 <= 5.10.257
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* >= 5.11 < 5.15.208
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* >= 5.16 < 6.1.174
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* >= 6.2 < 6.6.141
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* >= 6.7 < 6.12.91
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* >= 6.13 < 6.18.33
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* >= 6.19 < 7.0.10
cpe:2.3:o:linux:linux_kernel:7.1:rc1:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.1:rc2:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.1:rc3:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.1:rc4:*:*:*:*:*:*

REMEDIATION

Patch

Url
https://git.kernel.org/stable/c/2f2b16022a2e10ca7bccfb98db5ed2ec0f72641c
https://git.kernel.org/stable/c/3599e6b3cc1ada96883d496a50a210d3afbb6987
https://git.kernel.org/stable/c/3884358a9286b17f389a72b1426fc4547c23c111
https://git.kernel.org/stable/c/3bd9e113d50034db99d7ef69fd8e5242d15e414a
https://git.kernel.org/stable/c/760e1addc27ba1a7beb4a0a7e8b3e9ec49e7a34e
https://git.kernel.org/stable/c/78bf6b6bb19541d19fbda6242e7cfe2c682763c0
https://git.kernel.org/stable/c/9d3e5fd19fe1063bf607219e8562fbd567b8e8d5
https://git.kernel.org/stable/c/f84eca5817390257cef78013d0112481c503b4a3

EXPLOITS

Exploit-db.com

id description date
No known exploits

POC Github

Url
https://github.com/Sentebale/CVE-2026-46300
https://github.com/0xBlackash/CVE-2026-46300

Other Nist (github, ...)

Url
No known exploits

CAPEC

Common Attack Pattern Enumerations and Classifications

id description severity
No entry