Vulners
Lucene search
TencentOS Server 2: kernel (TSSA-2026:0418)
| Reporter | Title | Published | Views | Family All 814 |
|---|---|---|---|---|
 | Exploit for CVE-2026-43494 | 30 May 202611:44 | – | githubexploit |
| Exploit for Out-of-bounds Write in Linux Linux_Kernel | 3 Jun 202609:19 | – | githubexploit |
| Exploit for CVE-2026-46300 | 20 May 202615:11 | – | githubexploit |
| Exploit for Out-of-bounds Write in Linux Linux_Kernel | 2 Jun 202615:08 | – | githubexploit |
| Exploit for CVE-2026-46300 | 14 May 202607:27 | – | githubexploit |
| Exploit for CVE-2026-46300 | 17 May 202609:00 | – | githubexploit |
| Exploit for CVE-2026-46300 | 14 May 202607:17 | – | githubexploit |
| Exploit for Out-of-bounds Write in Linux Linux_Kernel | 2 Jun 202606:42 | – | githubexploit |
| Exploit for CVE-2026-43494 | 25 May 202607:45 | – | githubexploit |
 | CVE-2026-43503 | 23 May 202611:44 | – | attackerkb |
10
#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from Tencent Linux Security Advisory TSSA-2026:0418.
##
include('compat.inc');
if (description)
{
script_id(319737);
script_version("1.1");
script_set_attribute(attribute:"plugin_modification_date", value:"2026/06/08");
script_cve_id("CVE-2026-43494", "CVE-2026-43503", "CVE-2026-46300");
script_name(english:"TencentOS Server 2: kernel (TSSA-2026:0418)");
script_set_attribute(attribute:"synopsis", value:
"The remote TencentOS Server 2 host is missing one or more security updates.");
script_set_attribute(attribute:"description", value:
"The version of Tencent Linux installed on the remote TencentOS Server 2 host is prior to tested version. It is,
therefore, affected by multiple vulnerabilities as referenced in the TSSA-2026:0418 advisory.
Package updates are available for TencentOS Server 2 that fix the following vulnerabilities:
CVE-2026-46300:
kernel: Fragnesia is a variant of Dirty Frag vulnerability in the ESP/XFRM leading to Local Privilege
Escalation (LPE) vulnerability in the Linux kernel
CVE-2026-43503:
In the Linux kernel, the following vulnerability has been resolved:
net: skbuff: propagate shared-frag marker through frag-transfer helpers
Two frag-transfer helpers (__pskb_copy_fclone() and skb_shift()) fail
to propagate the SKBFL_SHARED_FRAG bit in skb_shinfo()->flags when
moving frags from source to destination. __pskb_copy_fclone() defers
the rest of the shinfo metadata to skb_copy_header() after copying
frag descriptors, but that helper only carries over gso_{size,segs,
type} and never touches skb_shinfo()->flags; skb_shift() moves frag
descriptors directly and leaves flags untouched. As a result, the
destination skb keeps a reference to the same externally-owned or
page-cache-backed pages while reporting skb_has_shared_frag() as
false.
The mismatch is harmful in any in-place writer that uses
skb_has_shared_frag() to decide whether shared pages must be detoured
through skb_cow_data(). ESP input is one such writer (esp4.c,
esp6.c), and a single nft 'dup to <local>' rule -- or any other
nf_dup_ipv4() / xt_TEE caller -- is enough to land a pskb_copy()'d
skb in esp_input() with the marker stripped, letting an unprivileged
user write into the page cache of a root-owned read-only file via
authencesn-ESN stray writes.
Set SKBFL_SHARED_FRAG on the destination whenever frag descriptors
were actually moved from the source. skb_copy() and skb_copy_expand()
share skb_copy_header() too but linearize all paged data into freshly
allocated head storage and emerge with nr_frags == 0, so
skb_has_shared_frag() returns false on its own; they need no change.
The same omission exists in skb_gro_receive() and skb_gro_receive_list().
The former moves the incoming skb's frag descriptors into the
accumulator's last sub-skb via two paths (a direct frag-move loop and
the head_frag + memcpy path); the latter chains the incoming skb whole
onto p's frag_list. Downstream skb_segment() reads only
skb_shinfo(p)->flags, and skb_segment_list() reuses each sub-skb's
shinfo as the nskb -- both p and lp must carry the marker.
The same omission also exists in tcp_clone_payload(), which builds an
MTU probe skb by moving frag descriptors from skbs on sk_write_queue
into a freshly allocated nskb. The helper falls into the same family
and warrants the same fix for consistency; no TCP TX-side in-place
writer is currently known to reach a user page through this gap, but
a future consumer depending on the marker would regress silently.
The same omission exists in skb_segment(): the per-iteration flag
merge takes only head_skb's flag, and the inner switch that rebinds
frag_skb to list_skb on head_skb-frags exhaustion does not fold the
new frag_skb's flag into nskb. Fold frag_skb's flag at both sites
so segments drawing frags from frag_list members carry the marker.
CVE-2026-43494:
In the Linux kernel, the following vulnerability has been resolved:
net/rds: reset op_nents when zerocopy page pin fails
When iov_iter_get_pages2() fails in rds_message_zcopy_from_user(),
the pinned pages are released with put_page(), and
rm->data.op_mmp_znotifier is cleared. But we fail to properly
clear rm->data.op_nents.
Later when rds_message_purge() is called from rds_sendmsg() the
cleanup loop iterates over the incorrectly non zero number of
op_nents and frees them again.
Fix this by properly resetting op_nents when it should be in
rds_message_zcopy_from_user().
Tenable has extracted the preceding description block directly from the Tencent Linux security advisory.
Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version
number.");
script_set_attribute(attribute:"see_also", value:"https://mirrors.tencent.com/tlinux/errata/tssa-20260418.xml");
script_set_attribute(attribute:"solution", value:
"Update the affected packages.");
script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:S/C:C/I:C/A:C");
script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C");
script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H");
script_set_cvss3_temporal_vector("CVSS:3.0/E:H/RL:O/RC:C");
script_set_attribute(attribute:"cvss_score_source", value:"CVE-2026-46300");
script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
script_set_attribute(attribute:"exploit_available", value:"true");
script_set_attribute(attribute:"vuln_publication_date", value:"2026/05/13");
script_set_attribute(attribute:"patch_publication_date", value:"2026/06/04");
script_set_attribute(attribute:"plugin_publication_date", value:"2026/06/08");
script_set_attribute(attribute:"plugin_type", value:"local");
script_set_attribute(attribute:"cpe", value:"cpe:/o:tencent:tencentos_server:2");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:tencent:tencentos_server:kernel");
script_set_attribute(attribute:"generated_plugin", value:"current");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_family(english:"Tencent Local Security Checks");
script_copyright(english:"This script is Copyright (C) 2026 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_dependencies("ssh_get_info2.nasl");
script_require_keys("Host/local_checks_enabled", "Host/etc/os-release", "Host/TencentOS/rpm-list", "Host/cpu");
exit(0);
}
include('rpm2.inc');
if (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
var os_product = get_kb_item('installed_os/local/SSH/0/product');
if (isnull(os_product) || 'TencentOS' >!< os_product) audit(AUDIT_OS_NOT, 'TencentOS');
var os_version = get_kb_item('installed_os/local/SSH/0/version');
if (isnull(os_version)) audit(AUDIT_UNKNOWN_APP_VER, 'TencentOS');
if (! preg(pattern:"^2([^0-9]|$)", string:os_version)) audit(AUDIT_OS_NOT, 'TencentOS 2.x', 'TencentOS ' + os_version);
if (!get_kb_item('Host/TencentOS/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);
var cpu = get_kb_item('Host/cpu');
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ('x86_64' >!< cpu && cpu !~ "^i[3-6]86$" && 's390' >!< cpu && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'TencentOS', cpu);
var constraints = [
{
'release': '2',
'pkgs': [
{'reference':'bpftool-5.4.119-19.0009.65.3.tl2', 'cpu':'aarch64', 'rpm_spec_vers_cmp':TRUE},
{'reference':'bpftool-5.4.119-19.0009.65.3.tl2', 'cpu':'x86_64', 'rpm_spec_vers_cmp':TRUE},
{'reference':'bpftool-debuginfo-5.4.119-19.0009.65.3.tl2', 'cpu':'aarch64', 'rpm_spec_vers_cmp':TRUE},
{'reference':'bpftool-debuginfo-5.4.119-19.0009.65.3.tl2', 'cpu':'x86_64', 'rpm_spec_vers_cmp':TRUE},
{'reference':'kernel-5.4.119-19.0009.65.3.tl2', 'cpu':'aarch64', 'rpm_spec_vers_cmp':TRUE},
{'reference':'kernel-5.4.119-19.0009.65.3.tl2', 'cpu':'x86_64', 'rpm_spec_vers_cmp':TRUE},
{'reference':'kernel-core-5.4.119-19.0009.65.3.tl2', 'cpu':'aarch64', 'rpm_spec_vers_cmp':TRUE},
{'reference':'kernel-core-5.4.119-19.0009.65.3.tl2', 'cpu':'x86_64', 'rpm_spec_vers_cmp':TRUE},
{'reference':'kernel-debuginfo-5.4.119-19.0009.65.3.tl2', 'cpu':'aarch64', 'rpm_spec_vers_cmp':TRUE},
{'reference':'kernel-debuginfo-5.4.119-19.0009.65.3.tl2', 'cpu':'x86_64', 'rpm_spec_vers_cmp':TRUE},
{'reference':'kernel-debuginfo-common-aarch64-5.4.119-19.0009.65.3.tl2', 'cpu':'aarch64', 'rpm_spec_vers_cmp':TRUE},
{'reference':'kernel-debuginfo-common-x86_64-5.4.119-19.0009.65.3.tl2', 'cpu':'x86_64', 'rpm_spec_vers_cmp':TRUE},
{'reference':'kernel-devel-5.4.119-19.0009.65.3.tl2', 'cpu':'aarch64', 'rpm_spec_vers_cmp':TRUE},
{'reference':'kernel-devel-5.4.119-19.0009.65.3.tl2', 'cpu':'x86_64', 'rpm_spec_vers_cmp':TRUE},
{'reference':'kernel-headers-5.4.119-19.0009.65.3.tl2', 'cpu':'aarch64', 'rpm_spec_vers_cmp':TRUE},
{'reference':'kernel-headers-5.4.119-19.0009.65.3.tl2', 'cpu':'x86_64', 'rpm_spec_vers_cmp':TRUE},
{'reference':'kernel-modules-5.4.119-19.0009.65.3.tl2', 'cpu':'aarch64', 'rpm_spec_vers_cmp':TRUE},
{'reference':'kernel-modules-5.4.119-19.0009.65.3.tl2', 'cpu':'x86_64', 'rpm_spec_vers_cmp':TRUE},
{'reference':'kernel-tools-5.4.119-19.0009.65.3.tl2', 'cpu':'aarch64', 'rpm_spec_vers_cmp':TRUE},
{'reference':'kernel-tools-5.4.119-19.0009.65.3.tl2', 'cpu':'x86_64', 'rpm_spec_vers_cmp':TRUE},
{'reference':'kernel-tools-debuginfo-5.4.119-19.0009.65.3.tl2', 'cpu':'aarch64', 'rpm_spec_vers_cmp':TRUE},
{'reference':'kernel-tools-debuginfo-5.4.119-19.0009.65.3.tl2', 'cpu':'x86_64', 'rpm_spec_vers_cmp':TRUE},
{'reference':'kernel-tools-libs-5.4.119-19.0009.65.3.tl2', 'cpu':'aarch64', 'rpm_spec_vers_cmp':TRUE},
{'reference':'kernel-tools-libs-5.4.119-19.0009.65.3.tl2', 'cpu':'x86_64', 'rpm_spec_vers_cmp':TRUE},
{'reference':'kernel-tools-libs-devel-5.4.119-19.0009.65.3.tl2', 'cpu':'aarch64', 'rpm_spec_vers_cmp':TRUE},
{'reference':'kernel-tools-libs-devel-5.4.119-19.0009.65.3.tl2', 'cpu':'x86_64', 'rpm_spec_vers_cmp':TRUE},
{'reference':'mlnx-ofed-dist-5.4.119-19.0009.65.3.tl2', 'cpu':'aarch64', 'rpm_spec_vers_cmp':TRUE},
{'reference':'mlnx-ofed-dist-5.4.119-19.0009.65.3.tl2', 'cpu':'x86_64', 'rpm_spec_vers_cmp':TRUE},
{'reference':'perf-5.4.119-19.0009.65.3.tl2', 'cpu':'aarch64', 'rpm_spec_vers_cmp':TRUE},
{'reference':'perf-5.4.119-19.0009.65.3.tl2', 'cpu':'x86_64', 'rpm_spec_vers_cmp':TRUE},
{'reference':'perf-debuginfo-5.4.119-19.0009.65.3.tl2', 'cpu':'aarch64', 'rpm_spec_vers_cmp':TRUE},
{'reference':'perf-debuginfo-5.4.119-19.0009.65.3.tl2', 'cpu':'x86_64', 'rpm_spec_vers_cmp':TRUE},
{'reference':'python3-perf-5.4.119-19.0009.65.3.tl2', 'cpu':'aarch64', 'rpm_spec_vers_cmp':TRUE},
{'reference':'python3-perf-5.4.119-19.0009.65.3.tl2', 'cpu':'x86_64', 'rpm_spec_vers_cmp':TRUE},
{'reference':'python3-perf-debuginfo-5.4.119-19.0009.65.3.tl2', 'cpu':'aarch64', 'rpm_spec_vers_cmp':TRUE},
{'reference':'python3-perf-debuginfo-5.4.119-19.0009.65.3.tl2', 'cpu':'x86_64', 'rpm_spec_vers_cmp':TRUE}
]
}
];
var os_release = get_one_kb_item('installed_os/local/SSH/0/release');
var os_sp = get_one_kb_item('Host/*/minor_release');
var flag = 0;
var reference;
var sp;
var _cpu;
var el_string;
var rpm_spec_vers_cmp;
var epoch;
var allowmaj;
var exists_check;
var cves;
foreach var constraint ( constraints ) {
# Check that the target release is equal to the affected release
if (!empty_or_null(constraint['release'])){
if (constraint['release'] != os_release) continue;
}
if (!empty_or_null(constraint['sp'])){
if (constraint['sp'] != os_sp) continue;
}
foreach var pkg ( constraint['pkgs'] ) {
reference = NULL;
sp = NULL;
_cpu = NULL;
el_string = NULL;
rpm_spec_vers_cmp = NULL;
epoch = NULL;
allowmaj = NULL;
exists_check = NULL;
cves = NULL;
if (!empty_or_null(pkg['reference'])) reference = pkg['reference'];
if (!empty_or_null(pkg['sp'])) sp = pkg['sp'];
if (!empty_or_null(pkg['cpu'])) _cpu = pkg['cpu'];
if (!empty_or_null(pkg['el_string'])) el_string = pkg['el_string'];
if (!empty_or_null(pkg['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = pkg['rpm_spec_vers_cmp'];
if (!empty_or_null(pkg['epoch'])) epoch = pkg['epoch'];
if (!empty_or_null(pkg['allowmaj'])) allowmaj = pkg['allowmaj'];
if (!empty_or_null(pkg['exists_check'])) exists_check = pkg['exists_check'];
if (!empty_or_null(pkg['cves'])) cves = pkg['cves'];
if (reference &&
## (no known rpm to check OR known rpm_exists)
(!exists_check || rpm_exists(rpm:exists_check)) &&
rpm_check(sp:sp, cpu:_cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj, cves:cves)) flag++;
}
}
if (flag)
{
security_report_v4(
port : 0,
severity : SECURITY_WARNING,
extra : rpm_report_get()
);
exit(0);
}
else
{
var tested = pkg_tests_get();
if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'bpftool / bpftool-debuginfo / kernel / etc');
}
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
08 Jun 2026 00:00Current
5.7Medium risk
Vulners AI Score5.7
CVSS 3.17.8 - 8.8
EPSS0.00254