03.06.2026
Kunbus-2026-0000007: Fragnesia
TLP: WHITE
| Publisher: KUNBUS PSIRT | Document category: csaf_vex |
| Initial release date: 2026-06-03T12:43:21.710323034Z | Engine: csaf-cms-backend 1.0.0 |
| Current release date: 2026-06-03T12:43:21.710323034Z | Build Date: 2026-06-03T12:41:10.348Z |
| Current version: 1.0.0 | Status: final |
| CVSSv3.1 Base Score: 7.8 | Severity: |
| Original language: | Language: en-US |
| Also referred to: | |
Vulnerabilities
(CVE-2026-46300)
DescriptionIn the Linux kernel, the following vulnerability has been resolved: net: skbuff: preserve shared-frag marker during coalescing skb_try_coalesce() can attach paged frags from @from to @to. If @from has SKBFL_SHARED_FRAG set, the resulting @to skb can contain the same externally-owned or page-cache-backed frags, but the shared-frag marker is currently lost. That breaks the invariant relied on by later in-place writers. In particular, ESP input checks skb_has_shared_frag() before deciding whether an uncloned nonlinear skb can skip skb_cow_data(). If TCP receive coalescing has moved shared frags into an unmarked skb, ESP can see skb_has_shared_frag() as false and decrypt in place over page-cache backed frags. Propagate SKBFL_SHARED_FRAG when skb_try_coalesce() transfers paged frags. The tailroom copy path does not need the marker because it copies bytes into @to's linear data rather than transferring frag descriptors.
| CWE: | CWE-787:Out-of-bounds Write |
|---|
Product status
Known affected
| Product | CVSS-Vector | CVSS Base Score |
|---|---|---|
| KUNBUS Revolution Pi Revolution Pi OS Bookworm <= (03/2026) | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H | 7.8 |
| KUNBUS Revolution Pi Revolution Pi OS Bullseye | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H | 7.8 |
| KUNBUS Revolution Pi linux-image-revpi-v8 <= 6.12.87-revpi0-rpi-v8 | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H | 7.8 |
Fixed
- KUNBUS Revolution Pi linux-image-revpi-v8 6.12.91-revpi0-rpi-v8
Remediations
Vendor fix (2026-05-29T10:00:00.000Z)
Install Kernel Package at least 6.12.91
For products:
- KUNBUS Revolution Pi Revolution Pi OS Bookworm <= (03/2026)
- KUNBUS Revolution Pi linux-image-revpi-v8 6.12.91-revpi0-rpi-v8
Workaround (2026-05-28T10:00:00.000Z)
Deactivate ESP Kernel Module rmmod esp4 esp6 printf 'install esp4 /bin/false\ninstall esp6 /bin/false\n' > /etc/modprobe.d/fragnesia.conf
For products:
- KUNBUS Revolution Pi Revolution Pi OS Bookworm <= (03/2026)
- KUNBUS Revolution Pi Revolution Pi OS Bullseye
- KUNBUS Revolution Pi linux-image-revpi-v8 <= 6.12.87-revpi0-rpi-v8
KUNBUS PSIRT
Namespace: https://www.kunbus.com
product-security@kunbus.com
KUNBUS GmbH develops and produces the Revolution Pi Family, Revolution Pi OS and the extension modules for RevPi amongst others. KUNBUS PSIRT is responsible for vulnerability handling across all KUNBUS products and services.
References
- URL generated by system (self): https://psirt.kunbus.com/white/2026/kunbus-2026-0000007.json
Revision history
| Version | Date of the revision | Summary of the revision |
|---|---|---|
| 1.0.0 | 2026-06-03T12:43:21.710323034Z | Initial Publication |
Sharing rules
TLP:WHITE
For the TLP version see: https://www.first.org/tlp/
Legal Disclaimer
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. KUNBUS RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME.