🌐 Network

Linux Kernel CVE-2026-43503: Networking skbuff Frag-Transfer Bug Causes Memory Corruption β€” CVSS 8.8

Linux kernel stable branch patches published 23 May address CVE-2026-43503, a CVSS 8.8 memory corruption vulnerability in two networking helper functions that incorrectly handle the SKBFL_SHARED_FRAG flag during fragment transfers. The bug affects the skb_shift and __pskb_copy_fclone functions across multiple kernel versions and can be triggered by crafted network traffic on affected configurations.

3 min read
#linux#kernel#cve-2026-43503#networking#memory-corruption#skbuff#packet-processing

Linux kernel stable branch patches published on 23 May address CVE-2026-43503, a CVSS 8.8 memory corruption vulnerability in two networking helper functions: __pskb_copy_fclone and skb_shift. Both functions process socket buffer (skb) fragment transfers in the kernel’s networking stack, and both fail to correctly propagate the SKBFL_SHARED_FRAG flag to fragment clones and shifted fragments.

The SKBFL_SHARED_FRAG flag indicates that fragment memory is shared between multiple socket buffers and should not be freed independently. When the flag is not propagated correctly, the kernel may incorrectly free memory that is still in use by another buffer path, leading to use-after-free conditions or double-free corruption in the network stack.

Technical Impact

The vulnerability is in the network packet processing path β€” code that runs at kernel privilege for every packet that traverses certain code paths in the Linux networking stack. Memory corruption in kernel space at this level has several potential consequences:

Kernel crash (DoS): The most common immediate consequence of use-after-free in kernel networking code is a kernel panic or oops, which crashes the system. An attacker who can trigger this path with crafted packets can cause denial of service on systems processing network traffic through the affected code paths.

Privilege escalation (potential): Reliable memory corruption in kernel space creates the theoretical foundation for privilege escalation β€” converting memory corruption into controlled writes that modify kernel data structures. This requires additional exploitation primitives beyond the initial bug and is substantially harder than DoS exploitation, but is within the capability of advanced exploit developers.

Affected Versions and Scope

The vulnerability exists across multiple Linux kernel stable branches. Patches have been applied to:

  • Linux 6.1.x (longterm)
  • Linux 6.6.x (longterm)
  • Linux 6.12.x (stable)
  • Linux 6.14.x (mainline)

The bug is in the kernel networking stack and affects systems processing network traffic where fragment manipulation occurs β€” this includes systems acting as routers, firewalls, network namespace hosts (Kubernetes nodes), and any server performing packet processing with the affected code path.

Distribution Patch Status

At time of publication, patches are available upstream in the stable kernel trees. Distribution-level packages typically follow within a few days of upstream stable commits. Check your distribution’s security advisory channels:

  • Red Hat / RHEL: rhsa-announce mailing list and errata.redhat.com
  • Ubuntu: ubuntu-security-announce mailing list and ubuntu.com/security/notices
  • Debian: debian-security-announce mailing list and security-tracker.debian.org
  • SUSE / openSUSE: suse-security-announce mailing list

Kubernetes node operators: Linux kernel vulnerabilities in networking code are particularly relevant to Kubernetes nodes, which process high volumes of containerised network traffic. Apply kernel updates to node pools promptly.

Immediate mitigation: There is no configuration-based mitigation that eliminates the vulnerability while maintaining full network functionality. Kernel updates are the only remediation. Systems that can be restarted with an updated kernel should prioritise doing so.

Share this article