{
  "affected": [
    {
      "ranges": [
        {
          "events": [
            {
              "introduced": "cef401de7be8c4e155c6746bfccf721a4fa5fab9"
            },
            {
              "fixed": "3599e6b3cc1ada96883d496a50a210d3afbb6987"
            },
            {
              "fixed": "2f2b16022a2e10ca7bccfb98db5ed2ec0f72641c"
            },
            {
              "fixed": "9d3e5fd19fe1063bf607219e8562fbd567b8e8d5"
            },
            {
              "fixed": "78bf6b6bb19541d19fbda6242e7cfe2c682763c0"
            },
            {
              "fixed": "760e1addc27ba1a7beb4a0a7e8b3e9ec49e7a34e"
            },
            {
              "fixed": "3bd9e113d50034db99d7ef69fd8e5242d15e414a"
            },
            {
              "fixed": "3884358a9286b17f389a72b1426fc4547c23c111"
            },
            {
              "fixed": "f84eca5817390257cef78013d0112481c503b4a3"
            }
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "type": "GIT"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Linux",
        "name": "Kernel"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "3.9.0"
            },
            {
              "fixed": "5.10.257"
            }
          ],
          "type": "ECOSYSTEM"
        },
        {
          "events": [
            {
              "introduced": "5.11.0"
            },
            {
              "fixed": "5.15.208"
            }
          ],
          "type": "ECOSYSTEM"
        },
        {
          "events": [
            {
              "introduced": "5.16.0"
            },
            {
              "fixed": "6.1.174"
            }
          ],
          "type": "ECOSYSTEM"
        },
        {
          "events": [
            {
              "introduced": "6.2.0"
            },
            {
              "fixed": "6.6.141"
            }
          ],
          "type": "ECOSYSTEM"
        },
        {
          "events": [
            {
              "introduced": "6.7.0"
            },
            {
              "fixed": "6.12.91"
            }
          ],
          "type": "ECOSYSTEM"
        },
        {
          "events": [
            {
              "introduced": "6.13.0"
            },
            {
              "fixed": "6.18.33"
            }
          ],
          "type": "ECOSYSTEM"
        },
        {
          "events": [
            {
              "introduced": "6.19.0"
            },
            {
              "fixed": "7.0.10"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "database_specific": {
    "cna_assigner": "Linux",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/46xxx/CVE-2026-46300.json"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: skbuff: preserve shared-frag marker during coalescing\n\nskb_try_coalesce() can attach paged frags from @from to @to.  If @from\nhas SKBFL_SHARED_FRAG set, the resulting @to skb can contain the same\nexternally-owned or page-cache-backed frags, but the shared-frag marker\nis currently lost.\n\nThat breaks the invariant relied on by later in-place writers.  In\nparticular, ESP input checks skb_has_shared_frag() before deciding\nwhether an uncloned nonlinear skb can skip skb_cow_data().  If TCP\nreceive coalescing has moved shared frags into an unmarked skb, ESP can\nsee skb_has_shared_frag() as false and decrypt in place over page-cache\nbacked frags.\n\nPropagate SKBFL_SHARED_FRAG when skb_try_coalesce() transfers paged\nfrags.  The tailroom copy path does not need the marker because it copies\nbytes into @to's linear data rather than transferring frag descriptors.",
  "id": "CVE-2026-46300",
  "modified": "2026-07-11T03:54:05.888399297Z",
  "published": "2026-05-23T11:44:02.231Z",
  "references": [
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2026/05/13/5"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2026/05/21/11"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2026/05/21/12"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2026/05/21/13"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/2f2b16022a2e10ca7bccfb98db5ed2ec0f72641c"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/3599e6b3cc1ada96883d496a50a210d3afbb6987"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/3884358a9286b17f389a72b1426fc4547c23c111"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/3bd9e113d50034db99d7ef69fd8e5242d15e414a"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/760e1addc27ba1a7beb4a0a7e8b3e9ec49e7a34e"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/78bf6b6bb19541d19fbda6242e7cfe2c682763c0"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/9d3e5fd19fe1063bf607219e8562fbd567b8e8d5"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/f84eca5817390257cef78013d0112481c503b4a3"
    },
    {
      "type": "WEB",
      "url": "https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-46300.json"
    },
    {
      "type": "ADVISORY",
      "url": "https://access.redhat.com/errata/RHBA-2026:20032"
    },
    {
      "type": "ADVISORY",
      "url": "https://access.redhat.com/errata/RHSA-2026:19521"
    },
    {
      "type": "ADVISORY",
      "url": "https://access.redhat.com/errata/RHSA-2026:19540"
    },
    {
      "type": "ADVISORY",
      "url": "https://access.redhat.com/errata/RHSA-2026:19568"
    },
    {
      "type": "ADVISORY",
      "url": "https://access.redhat.com/errata/RHSA-2026:19569"
    },
    {
      "type": "ADVISORY",
      "url": "https://access.redhat.com/errata/RHSA-2026:19664"
    },
    {
      "type": "ADVISORY",
      "url": "https://access.redhat.com/errata/RHSA-2026:19666"
    },
    {
      "type": "ADVISORY",
      "url": "https://access.redhat.com/errata/RHSA-2026:19705"
    },
    {
      "type": "ADVISORY",
      "url": "https://access.redhat.com/errata/RHSA-2026:19711"
    },
    {
      "type": "ADVISORY",
      "url": "https://access.redhat.com/errata/RHSA-2026:19875"
    },
    {
      "type": "ADVISORY",
      "url": "https://access.redhat.com/errata/RHSA-2026:20051"
    },
    {
      "type": "ADVISORY",
      "url": "https://access.redhat.com/errata/RHSA-2026:20054"
    },
    {
      "type": "ADVISORY",
      "url": "https://access.redhat.com/errata/RHSA-2026:20087"
    },
    {
      "type": "ADVISORY",
      "url": "https://access.redhat.com/errata/RHSA-2026:20129"
    },
    {
      "type": "ADVISORY",
      "url": "https://access.redhat.com/errata/RHSA-2026:20130"
    },
    {
      "type": "ADVISORY",
      "url": "https://access.redhat.com/errata/RHSA-2026:20299"
    },
    {
      "type": "ADVISORY",
      "url": "https://access.redhat.com/errata/RHSA-2026:20593"
    },
    {
      "type": "ADVISORY",
      "url": "https://access.redhat.com/errata/RHSA-2026:21656"
    },
    {
      "type": "ADVISORY",
      "url": "https://access.redhat.com/errata/RHSA-2026:21690"
    },
    {
      "type": "ADVISORY",
      "url": "https://access.redhat.com/errata/RHSA-2026:21695"
    },
    {
      "type": "ADVISORY",
      "url": "https://access.redhat.com/errata/RHSA-2026:21702"
    },
    {
      "type": "ADVISORY",
      "url": "https://access.redhat.com/errata/RHSA-2026:23233"
    },
    {
      "type": "ADVISORY",
      "url": "https://access.redhat.com/errata/RHSA-2026:23240"
    },
    {
      "type": "ADVISORY",
      "url": "https://access.redhat.com/errata/RHSA-2026:23245"
    },
    {
      "type": "ADVISORY",
      "url": "https://access.redhat.com/errata/RHSA-2026:23468"
    },
    {
      "type": "ADVISORY",
      "url": "https://access.redhat.com/errata/RHSA-2026:23469"
    },
    {
      "type": "ADVISORY",
      "url": "https://access.redhat.com/errata/RHSA-2026:23470"
    },
    {
      "type": "ADVISORY",
      "url": "https://access.redhat.com/errata/RHSA-2026:23471"
    },
    {
      "type": "ADVISORY",
      "url": "https://access.redhat.com/errata/RHSA-2026:24814"
    },
    {
      "type": "ADVISORY",
      "url": "https://access.redhat.com/errata/RHSA-2026:25044"
    },
    {
      "type": "ADVISORY",
      "url": "https://access.redhat.com/errata/RHSA-2026:28887"
    },
    {
      "type": "ADVISORY",
      "url": "https://access.redhat.com/errata/RHSA-2026:33486"
    },
    {
      "type": "ADVISORY",
      "url": "https://access.redhat.com/errata/RHSA-2026:34098"
    },
    {
      "type": "ADVISORY",
      "url": "https://access.redhat.com/security/cve/CVE-2026-46300"
    },
    {
      "type": "ADVISORY",
      "url": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/46xxx/CVE-2026-46300.json"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-46300"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2477015"
    },
    {
      "type": "PACKAGE",
      "url": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"
    }
  ],
  "schema_version": "1.7.5",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "net: skbuff: preserve shared-frag marker during coalescing"
}