SharedFrag (CVE-2026-43503)
Document Version: 1.0
Severity: High (CVE), Low–Medium (TrueNAS Impact)
CVE-2026-43503 is a Linux kernel vulnerability in the network stack’s socket buffer (skbuff) layer. Multiple frag-transfer helpers fail to propagate the SKBFL_SHARED_FRAG flag when moving packet fragments between socket buffers. This allows an unprivileged local attacker to corrupt the Linux page cache, potentially overwriting root-owned read-only files and achieving local privilege escalation.
The vulnerability has existed since Linux 3.9 and affects all maintained stable series. Fixes landed in 6.12.92, 6.18.33, and 7.0.10.
TrueNAS Impact: LOW–MEDIUM — The kernel bug is present on unpatched releases, but the attack requires IPsec to be actively configured, which is not a default TrueNAS deployment. ZFS filesystem protection likely applies but has not been verified for this specific CVE.
The following frag-transfer functions fail to copy the SKBFL_SHARED_FRAG bit from source to destination socket buffer:
__pskb_copy_fclone()— used bypskb_copy(),nft dup,nf_dup_ipv4(),xt_TEEskb_shift()skb_gro_receive()andskb_gro_receive_list()tcp_clone_payload()skb_segment()
When a socket buffer with page-cache-backed fragments (e.g., from sendfile()) passes through any of these helpers, the destination buffer still holds references to the original page-cache pages but reports skb_has_shared_frag() as false. Downstream in-place writers such as ESP input (esp4.c, esp6.c) skip the required skb_cow_data() call and write directly into those page-cache pages.
A single nft dup to <local> rule, nf_dup_ipv4(), or xt_TEE caller is sufficient to route a pskb_copy()’d socket buffer through ESP input with the shared-frag marker stripped. An unprivileged user who can send data over an IPsec tunnel and add a nftables dup rule (via user namespaces) can arrange for ESP to overwrite page-cache pages belonging to root-owned read-only files.
- Type: Page cache corruption → local privilege escalation (LPE)
- CVSS: 8.8 HIGH —
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H - Attack Vector: Local, low privilege (user namespaces required)
- Active Exploitation: Not in CISA KEV catalog
| Release | Kernel Base | Status |
|---|---|---|
| 25.10.3.1 and earlier | 6.12.33 | Affected — fix in 6.12.92 |
| 25.10.4 | 6.12.x | Affected — pending 6.12.92 |
| 25.10.5 | 6.12.91 | Affected — fix in 6.12.92 |
| dev (25.10.4+) as of 2026-06-25 | 6.18.35 | Patched — fix merged via v6.18.33 |
The attack chain requires all of the following:
- Local shell access as an unprivileged user
- IPsec (ESP) actively configured — TrueNAS does not configure IPsec by default; this must be explicitly set up by an administrator
- Ability to add nftables dup/TEE rules — achievable via user namespaces when IPsec is present
The IPsec requirement is the most significant barrier. A stock TrueNAS deployment with no IPsec configuration cannot be exploited via the documented attack path.
TrueNAS stores all system binaries on a ZFS-backed root pool. Previous testing of related page-cache corruption vulnerabilities (CVE-2026-43284, CVE-2026-43500, CVE-2026-46331) confirmed that ZFS’s caching architecture prevents page-cache corruption from reaching ZFS-backed files. This protection likely applies to CVE-2026-43503 as well, but has not been specifically verified for this CVE’s ESP-input attack path.
- TrueNAS dev / 25.10.4+ (6.18.35+): Patched — fix present via v6.18.33 stable merge.
- TrueNAS 25.10.x: Fix targeted for 6.12.92; not yet available.
- Do not configure IPsec unless required — this eliminates the documented attack path.
- Restrict local shell access — limit which users have shell accounts on the system.
- Apply kernel updates when 6.12.92 becomes available via the normal update channel.
To disable ESP modules on 25.10.x releases pending the kernel fix:
midclt call system.advanced.update '{"kernel_extra_options": "module_blacklist=esp4,esp6"}'
Note: Disabling esp4/esp6 will prevent IPsec VPN functionality. Only apply if IPsec is not in use.
- CVE-2026-43503: net: skbuff: propagate shared-frag marker through frag-transfer helpers
- Upstream fix (6.18 series):
ff375cc75f91— merged in v6.18.33 - Upstream fix (6.12 series):
fc6eb39c55e9— merged in v6.12.92 - Related CVEs: CVE-2026-43284, CVE-2026-43500 (Dirty Frag — same page-cache corruption class)
- TrueNAS Security: https://security.truenas.com
This document will be updated as kernel fixes become available for the 25.10.x series or if additional exploit vectors are identified.