{"document":{"category":"csaf_vex","csaf_version":"2.0","distribution":{"tlp":{"label":"WHITE","url":"https://www.first.org/tlp/"}},"lang":"en-US","notes":[{"category":"legal_disclaimer","text":"THIS DOCUMENT IS PROVIDED ON AN \"AS IS\" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. KUNBUS RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME.","title":"Legal Disclaimer"}],"publisher":{"category":"vendor","contact_details":"product-security@kunbus.com","issuing_authority":"KUNBUS GmbH develops and produces the Revolution Pi Family, Revolution Pi OS and the extension modules for RevPi amongst others. KUNBUS PSIRT is responsible for vulnerability handling across all KUNBUS products and services.","name":"KUNBUS PSIRT","namespace":"https://www.kunbus.com"},"title":"Fragnesia","tracking":{"current_release_date":"2026-06-03T12:43:21.710323034Z","generator":{"date":"2026-06-03T12:41:10.348Z","engine":{"name":"csaf-cms-backend","version":"1.0.0"}},"id":"Kunbus-2026-0000007","initial_release_date":"2026-06-03T12:43:21.710323034Z","revision_history":[{"date":"2026-06-03T12:43:21.710323034Z","number":"1.0.0","summary":"Initial Publication"}],"status":"final","version":"1.0.0"},"references":[{"category":"self","summary":"URL generated by system","url":"https://psirt.kunbus.com/white/2026/kunbus-2026-0000007.json"}]},"product_tree":{"branches":[{"branches":[{"branches":[{"branches":[{"category":"product_version_range","name":"Bookworm <= (03/2026)","product":{"name":"KUNBUS Revolution Pi Revolution Pi OS Bookworm <= (03/2026)","product_id":"CSAFPID-0004"}},{"category":"product_version_range","name":"Bullseye","product":{"name":"KUNBUS Revolution Pi Revolution Pi OS Bullseye","product_id":"CSAFPID-0005"}}],"category":"product_name","name":"Revolution Pi OS"},{"branches":[{"category":"product_version","name":"6.12.91-revpi0-rpi-v8","product":{"name":"KUNBUS Revolution Pi linux-image-revpi-v8 6.12.91-revpi0-rpi-v8","product_id":"CSAFPID-0001"}},{"category":"product_version_range","name":"<= 6.12.87-revpi0-rpi-v8","product":{"name":"KUNBUS Revolution Pi linux-image-revpi-v8 <= 6.12.87-revpi0-rpi-v8","product_id":"CSAFPID-0002"}}],"category":"product_name","name":"linux-image-revpi-v8"}],"category":"product_family","name":"Revolution Pi"}],"category":"vendor","name":"KUNBUS"}]},"vulnerabilities":[{"cve":"CVE-2026-46300","cwe":{"id":"CWE-787","name":"Out-of-bounds Write"},"notes":[{"category":"description","text":"In the Linux kernel, the following vulnerability has been resolved: net: skbuff: preserve shared-frag marker during coalescing skb_try_coalesce() can attach paged frags from @from to @to. If @from has SKBFL_SHARED_FRAG set, the resulting @to skb can contain the same externally-owned or page-cache-backed frags, but the shared-frag marker is currently lost. That breaks the invariant relied on by later in-place writers. In particular, ESP input checks skb_has_shared_frag() before deciding whether an uncloned nonlinear skb can skip skb_cow_data(). If TCP receive coalescing has moved shared frags into an unmarked skb, ESP can see skb_has_shared_frag() as false and decrypt in place over page-cache backed frags. Propagate SKBFL_SHARED_FRAG when skb_try_coalesce() transfers paged frags. The tailroom copy path does not need the marker because it copies bytes into @to's linear data rather than transferring frag descriptors.","title":"Description"}],"product_status":{"fixed":["CSAFPID-0001"],"known_affected":["CSAFPID-0004","CSAFPID-0005","CSAFPID-0002"]},"remediations":[{"category":"vendor_fix","date":"2026-05-29T10:00:00.000Z","details":"Install Kernel Package at least 6.12.91","product_ids":["CSAFPID-0004","CSAFPID-0001"],"url":"https://packages.kunbus.com/pool/main/l/linux-revpi-v8/linux-image-revpi-v8_6.12.91-revpi0-1+deb12+1_arm64.deb"},{"category":"workaround","date":"2026-05-28T10:00:00.000Z","details":"Deactivate ESP Kernel Module\n\nrmmod esp4 esp6\nprintf 'install esp4 /bin/false\\ninstall esp6 /bin/false\\n' > /etc/modprobe.d/fragnesia.conf","product_ids":["CSAFPID-0004","CSAFPID-0005","CSAFPID-0002"]}],"scores":[{"cvss_v3":{"attackComplexity":"LOW","attackVector":"LOCAL","availabilityImpact":"HIGH","baseScore":7.8,"baseSeverity":"HIGH","confidentialityImpact":"HIGH","environmentalScore":7.8,"environmentalSeverity":"HIGH","integrityImpact":"HIGH","privilegesRequired":"LOW","scope":"UNCHANGED","temporalScore":7.8,"temporalSeverity":"HIGH","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","version":"3.1"},"products":["CSAFPID-0004","CSAFPID-0005","CSAFPID-0002"]}]}]}