CVE-2026-43503 Drops Shared-Frag Bit in __pskb_copy_fclone and skb_shift

The vulnerability stems from multiple skb fragment helpers that clear the SKB_SHARED_FRAG flag during cloning or shifting operations. An attacker maps a privileged binary into memory, attaches those pages to a network packet, routes it through a user-controlled IPsec ESP tunnel, and the decryption path performs an in-place write to the page cache. No disk modification occurs and file-integrity monitors see nothing. JFrog's public exploit and the upstream patch notes confirm the pattern across four related CVEs since late April. Each case involved a different frag-transfer site where the shared-memory contract was not preserved. The May 16 multi-site patch from Hyunwoo Kim addressed the remaining helpers after earlier fixes proved incomplete. Container hosts and multi-tenant CI systems remain exposed until kernels reach v7.1-rc5 or backports. Restricting unprivileged user namespaces closes the default path on affected distributions; AppArmor on Ubuntu 24.04 already blocks it. The root cause is architectural: zero-copy networking assumes every skb operation honors the flag contract, yet no enforcement mechanism exists. Distributions have published updates; Red Hat tracks the issue in Bugzilla. Continued discovery of variants indicates additional frag paths require systematic review rather than piecemeal fixes.