Linux Kernel Shared Fragment Marker Coalescing Vulnerability Allows Privilege Escalation

A vulnerability in the Linux kernel's handling of shared fragment markers during the coalescing of socket buffers can lead to local privilege escalation. The issue arises in the XFRM ESP-in-TCP subsystem, where shared fragments can be moved into unmarked socket buffers, allowing in-place decryption over page-cache backed fragments. This vulnerability has been assigned CVE-2026-46300 and is part of a class of vulnerabilities known as 'Dirty Frag', which involves improper handling of fragmented data that can be exploited to manipulate kernel memory.

Impact

Exploitation of this vulnerability allows for local privilege escalation, where a user can gain elevated rights, potentially leading to unauthorized access or control over system resources.

Reproduction

The vulnerability can be reproduced by transitioning a TCP socket to ESP-in-TCP mode after data has been spliced from a file into the receive queue. This process can be automated with a proof-of-concept exploit that modifies the kernel page cache of read-only files, without requiring any race conditions. The exploit takes advantage of the fact that the ESP subsystem does not properly handle shared fragments, allowing for unauthorized modifications to cached file data.

Remediation

A patch addressing this vulnerability has been applied to the Linux kernel stable tree. Instructions for downloading the patched version are available on the Linux kernel Git repository.