# CVE-2026-43503

## Summary

DirtyClone: Linux kernel local privilege escalation via SKB shared-frag marker loss

## Description

CVE-2026-43503 (DirtyClone) is a local privilege escalation flaw in the Linux kernel networking stack. When socket-buffer (skb) fragment descriptors are transferred between skbs by __pskb_copy_fclone(), skb_shift(), skb_gro_receive(), skb_gro_receive_list(), tcp_clone_payload(), and skb_segment(), the kernel fails to propagate the SKBFL_SHARED_FRAG flag in skb_shinfo()->flags. A cloned skb can therefore keep a reference to file-backed page-cache memory while reporting skb_has_shared_frag() as false. This bypasses the XFRM/IPsec skb_cow_data() copy-on-write safeguard, allowing an unprivileged local attacker to write decrypted bytes into a root-owned read-only binary's page cache and ultimately gain root code execution.

Affected versions: Linux kernel mainline before v7.1-rc5; stable branches before 5.10.257, 5.15.208, 6.1.174, 6.6.141, 6.12.91, 6.18.33, 7.0.10. Fixed upstream in Linux v7.1-rc5 (commit 48f6a5356a33dd78e7144ae1faef95ffc990aae0) and backported to the stable commits listed in NVD/GitHub Advisory.

Reproduction context: A vulnerable runtime kernel with CONFIG_XFRM, CONFIG_INET_ESP, CONFIG_NETFILTER_XT_TARGET_TEE, and unprivileged user namespaces enabled. From an unprivileged user+network namespace, bring up loopback, configure a loopback XFRM/IPsec transport-mode SA and policy, install a netfilter TEE rule to force packet duplication through the __pskb_copy_fclone() path, mmap a SUID root binary into the page cache, use vmsplice/splice to attach that page-cache page as zero-copy data on a UDP socket, send the packet through the IPsec output path, and observe that the in-place decryption writes into the shared page-cache page on the vulnerable kernel. On a fixed kernel, the shared-frag flag is preserved, skb_cow_data() triggers a copy before decryption, and the page-cache contents remain unchanged.

## Metadata

- Product: linux
- Severity: high
- Status: open
