CVE-2026-53363
Received Received - Intake

IPTFS Fragment Handling Flaw in Linux Kernel

Vulnerability report for CVE-2026-53363, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-10

Last updated on: 2026-07-10

Assigner: kernel.org

Description

In the Linux kernel, the following vulnerability has been resolved: xfrm: iptfs: preserve shared-frag marker in iptfs_consume_frags() iptfs_consume_frags() transfers paged fragments from one socket buffer to another but fails to propagate the SKBFL_SHARED_FRAG flag. This is the same class of bug that was fixed in skb_try_coalesce() for CVE-2026-46300: when fragments backed by read-only page-cache pages are merged, the marker indicating their shared nature must be preserved so that ESP can decide correctly whether in-place encryption is safe. Apply the same two-line fix used in skb_try_coalesce() to iptfs_consume_frags().

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-10
Last Modified
2026-07-10
Generated
2026-07-10
AI Q&A
2026-07-10
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
linux linux_kernel *

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability exists in the Linux kernel's handling of iptfs (IP Tunnel Fragmentation System) within the xfrm subsystem. Specifically, the function iptfs_consume_frags() transfers paged fragments from one socket buffer to another but fails to preserve the SKBFL_SHARED_FRAG flag. This flag indicates that fragments are shared and backed by read-only page-cache pages. Without preserving this marker, the system cannot correctly determine if in-place encryption by ESP (Encapsulating Security Payload) is safe.

The issue is similar to a previously fixed bug (CVE-2026-46300) in skb_try_coalesce(), where merging fragments backed by read-only pages required preserving the shared-frag marker. The fix involves applying the same two-line patch used in skb_try_coalesce() to iptfs_consume_frags() to ensure the flag is propagated correctly.

Impact Analysis

If the SKBFL_SHARED_FRAG flag is not preserved during fragment transfer, the ESP subsystem may incorrectly assume it is safe to perform in-place encryption on fragments that are actually shared and backed by read-only pages. This can lead to data corruption or security issues because encryption might modify shared data unexpectedly.

Therefore, the vulnerability could impact the integrity and confidentiality of encrypted network traffic handled by the Linux kernel, potentially causing security failures or data integrity problems in systems relying on IPsec or related encryption mechanisms.

Mitigation Strategies

The vulnerability has been resolved by applying a two-line fix in the Linux kernel code, specifically in the iptfs_consume_frags() function to preserve the SKBFL_SHARED_FRAG flag.

To mitigate this vulnerability, you should update your Linux kernel to a version that includes this fix.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-53363. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart