CVE-2026-43503
HIGHnet: skbuff: preserve shared-frag marker during coalescing
Title source: cnaExploitation Summary
EIP tracks 11 public exploits for CVE-2026-43503. PoCs published by Hex0rc1st, dyeat, douglasmun.
AI-analyzed exploit summary This is a detailed security advisory from Qi'anxin CERT about the Linux Kernel DirtyClone local privilege escalation vulnerability (CVE-2026-43503). It provides an overview of the vulnerability, including its name, CVE number, and disclosure date, but does not include exploit code or deep technical analysis.
Description
In the Linux kernel, the following vulnerability has been resolved: net: skbuff: propagate shared-frag marker through frag-transfer helpers Two frag-transfer helpers (__pskb_copy_fclone() and skb_shift()) fail to propagate the SKBFL_SHARED_FRAG bit in skb_shinfo()->flags when moving frags from source to destination. __pskb_copy_fclone() defers the rest of the shinfo metadata to skb_copy_header() after copying frag descriptors, but that helper only carries over gso_{size,segs, type} and never touches skb_shinfo()->flags; skb_shift() moves frag descriptors directly and leaves flags untouched. As a result, the destination skb keeps a reference to the same externally-owned or page-cache-backed pages while reporting skb_has_shared_frag() as false. The mismatch is harmful in any in-place writer that uses skb_has_shared_frag() to decide whether shared pages must be detoured through skb_cow_data(). ESP input is one such writer (esp4.c, esp6.c), and a single nft 'dup to <local>' rule -- or any other nf_dup_ipv4() / xt_TEE caller -- is enough to land a pskb_copy()'d skb in esp_input() with the marker stripped, letting an unprivileged user write into the page cache of a root-owned read-only file via authencesn-ESN stray writes. Set SKBFL_SHARED_FRAG on the destination whenever frag descriptors were actually moved from the source. skb_copy() and skb_copy_expand() share skb_copy_header() too but linearize all paged data into freshly allocated head storage and emerge with nr_frags == 0, so skb_has_shared_frag() returns false on its own; they need no change. The same omission exists in skb_gro_receive() and skb_gro_receive_list(). The former moves the incoming skb's frag descriptors into the accumulator's last sub-skb via two paths (a direct frag-move loop and the head_frag + memcpy path); the latter chains the incoming skb whole onto p's frag_list. Downstream skb_segment() reads only skb_shinfo(p)->flags, and skb_segment_list() reuses each sub-skb's shinfo as the nskb -- both p and lp must carry the marker. The same omission also exists in tcp_clone_payload(), which builds an MTU probe skb by moving frag descriptors from skbs on sk_write_queue into a freshly allocated nskb. The helper falls into the same family and warrants the same fix for consistency; no TCP TX-side in-place writer is currently known to reach a user page through this gap, but a future consumer depending on the marker would regress silently. The same omission exists in skb_segment(): the per-iteration flag merge takes only head_skb's flag, and the inner switch that rebinds frag_skb to list_skb on head_skb-frags exhaustion does not fold the new frag_skb's flag into nskb. Fold frag_skb's flag at both sites so segments drawing frags from frag_list members carry the marker.
Exploits (11)
This is a detailed security advisory from Qi'anxin CERT about the Linux Kernel DirtyClone local privilege escalation vulnerability (CVE-2026-43503). It provides an overview of the vulnerability, including its name, CVE number, and disclosure date, but does not include exploit code or deep technical analysis.
This repository contains functional exploit code for CVE-2026-43503, a Linux kernel privilege escalation vulnerability. The exploit leverages user namespace and network namespace manipulation to achieve root access via crafted XFRM state manipulation and file corruption.
This repository provides a defensive containment kit for CVE-2026-43503, focusing on hardening Linux systems against a local privilege escalation (LPE) vulnerability in the page cache. It includes scripts for detection, hardening, and verification, along with a test harness for validating the defensive measures in a disposable environment.
This repository contains a functional local privilege escalation exploit for CVE-2026-43503, leveraging a Linux kernel vulnerability where a cloned `sk_buff` loses the `SKBFL_SHARED_FRAG` flag, allowing ESP in-place decryption to overwrite file-backed page-cache memory. The PoC injects a uid-0 account into `/etc/passwd` and provides a root shell.
This repository contains a functional Python exploit for CVE-2026-43503 (DirtyClone), a Linux kernel local privilege escalation vulnerability. The exploit leverages improper flag propagation in `__pskb_copy_fclone()` to perform in-place decryption into file-backed page cache memory, allowing an unprivileged user to gain root privileges by overwriting `/etc/passwd`.
This repository contains a functional Python exploit for CVE-2026-43503 (DirtyClone), a Linux kernel local privilege escalation vulnerability. The exploit leverages improper flag propagation in `__pskb_copy_fclone()` to perform in-place decryption into file-backed page cache memory, allowing an unprivileged user to gain root privileges by overwriting `/etc/passwd`.
The repository contains a functional local privilege escalation (LPE) exploit for CVE-2026-43503, targeting a kernel/XFRM vulnerability. The exploit uses namespaces, XFRM/IPsec state manipulation, and a crafted ESP payload to corrupt the page cache of a target SUID binary (/usr/bin/su), achieving privilege escalation.
This is a functional PoC for CVE-2026-43503, a local privilege escalation vulnerability in the Linux kernel involving page cache manipulation through IPsec in-place decryption. The exploit uses network namespaces, IPsec configuration, and packet cloning to trigger the vulnerability.
This repository contains a functional exploit for CVE-2026-43503 (DirtyClone), a local privilege escalation vulnerability in the Linux kernel's clone/namespace subsystem. The exploit leverages a race condition/use-after-free to achieve arbitrary write primitives, ultimately overwriting process credentials to gain root privileges.
The repository contains a functional exploit for CVE-2026-43503, a local privilege escalation vulnerability in the Linux kernel's networking subsystem. The exploit leverages improper handling of the SKBFL_SHARED_FRAG flag to corrupt page-cache memory and escalate privileges to root.
References (48)
Scores
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H