{
  "variant_id": "CVE-2026-43503-fragnesia-sibling-skb_try_coalesce",
  "created_at": "2026-07-03T13:02:19Z",
  "variant_summary": "Fragnesia-style sibling variant of CVE-2026-43503 (DirtyClone) that uses ESP-in-TCP over veth and TCP receive coalescing (skb_try_coalesce) to reach the same in-place ESP-decryption sink over file-backed page-cache frags.",
  "relation": "newer_version_sibling",
  "origin_kind": "pruva_variant",
  "repository": "https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git",
  "submitted_target": {
    "target_kind": "git_commit",
    "commit_sha": "48f6a5356a33dd78e7144ae1faef95ffc990aae0",
    "version": "v7.1-rc5",
    "ref": "refs/tags/v7.1-rc5",
    "display": "CVE-2026-43503 upstream fix 48f6a5356a33 (v7.1-rc5)"
  },
  "variant_target": {
    "target_kind": "kernel_package",
    "commit_sha": null,
    "version": "7.0.10-070010-generic",
    "ref": "Ubuntu mainline 7.0.10 package 202605231316",
    "display": "Ubuntu mainline 7.0.10-070010-generic (v7.0.10 stable backport)"
  },
  "same_root_cause_confidence": "high",
  "same_surface_confidence": "high",
  "claimed_surface": "local_kernel_runtime",
  "validated_surface": "local_kernel_runtime",
  "required_entrypoint_kind": "local_kernel_runtime",
  "required_entrypoint_detail": "Unprivileged user+network namespace; XFRM ESP-in-TCP (espintcp) SA/SP over a veth pair; vmsplice/splice zero-copy data into TCP socket; TCP receive coalescing reaches skb_try_coalesce()",
  "attacker_controlled_input": "unprivileged local attacker with XFRM ESP-in-TCP (espintcp) + veth + vmsplice/splice zero-copy data",
  "trigger_path": "skb_try_coalesce() in TCP receive path; in-place ESP decryption over file-backed page cache",
  "observed_impact_class": "privilege_escalation",
  "exploitability_confidence": "high",
  "evidence_scope": "production_path",
  "runtime_manifest_present": true,
  "end_to_end_target_reached": false,
  "inferred": false,
  "claim_block_reason": "blocking_mitigation",
  "blocking_mitigation": "CVE-2026-43503 fix plus CVE-2026-46300 skb_try_coalesce backport in v7.0.10",
  "file_path": "net/core/skbuff.c",
  "line_start": 6085,
  "line_end": 6170,
  "secondary_anchors": [
    {
      "file_path": "net/ipv4/espintcp.c",
      "line_start": 1,
      "line_end": 50
    },
    {
      "file_path": "net/ipv4/tcp_input.c",
      "line_start": 1,
      "line_end": 50
    }
  ],
  "review_scope_paths": [
    "net/core/skbuff.c",
    "net/core/gro.c",
    "net/ipv4/tcp_output.c",
    "net/ipv4/tcp_input.c",
    "net/ipv4/espintcp.c"
  ],
  "artifact_refs": {
    "variant_manifest": "bundle/vuln_variant/variant_manifest.json",
    "validation_verdict": "bundle/vuln_variant/validation_verdict.json",
    "runtime_manifest": "bundle/vuln_variant/runtime_manifest.json",
    "repro_log": "bundle/logs/vuln_variant.log",
    "root_cause_equivalence": "bundle/vuln_variant/root_cause_equivalence.json",
    "reproducer": [
      "bundle/vuln_variant/reproduction_steps.sh"
    ]
  }
}
