Skip to main content

Linux Kernel CVE-2026-46000

| EUVDEUVD-2026-32296 MEDIUM
2026-05-27 416baaa9-dc9f-4396-8d5f-8c081fb06d67 GHSA-97jg-j9j8-fpm3
5.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
vuln.today AI
6.1 MEDIUM

PR:L and AV:L reflect local low-privilege access; C:L added over official C:N to account for decrypted rxrpc credential exposure visible to cloned-buffer consumers per the confirmed Information Disclosure tag.

3.1 AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:H
4.0 AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:H/SC:N/SI:N/SA:N
SUSE
MEDIUM
qualitative
Red Hat
5.5 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

5
Analysis Generated
Jun 16, 2026 - 13:23 vuln.today
CVSS changed
Jun 16, 2026 - 13:22 NVD
5.5 (MEDIUM)
Patch available
May 27, 2026 - 19:46 EUVD
CVE Published
May 27, 2026 - 14:17 nvd
MEDIUM 5.5
CVE Published
May 27, 2026 - 14:17 nvd
UNKNOWN (no severity yet)

DescriptionNVD

In the Linux kernel, the following vulnerability has been resolved:

rxrpc: Fix conn-level packet handling to unshare RESPONSE packets

The security operations that verify the RESPONSE packets decrypt bits of it in place - however, the sk_buff may be shared with a packet sniffer, which would lead to the sniffer seeing an apparently corrupt packet (actually decrypted).

Fix this by handing a copy of the packet off to the specific security handler if the packet was cloned.

AnalysisAI

The rxrpc connection-level packet handler in the Linux kernel modifies RESPONSE packet data in-place within a potentially shared sk_buff, exposing decrypted rxrpc authentication material to co-attached packet sniffers and risking kernel instability when a cloned buffer is written without unsharing. Systems running the rxrpc subsystem (primarily AFS clients and servers) from kernel 2.6.22 onward through the affected stable branches are vulnerable. No public exploit exists and EPSS sits at 0.02% (5th percentile) with no CISA KEV listing, indicating minimal real-world exploitation pressure; patches are confirmed across stable branches 6.6.140, 6.12.88, 7.0.4, 6.18.27, and 7.1-rc1.

Technical ContextAI

RxRPC (Reliable RPC over UDP, AF_RXRPC) is the Linux kernel protocol underlying the AFS distributed file system. Socket buffers (sk_buff) in the Linux networking stack can be cloned - reference-counted structures sharing the same underlying data region - by kernel subsystems such as AF_PACKET sniffers, netfilter hooks, or packet monitoring infrastructure. A fundamental copy-on-write invariant requires that any writer call skb_unshare() or skb_cow_data() before modifying a potentially cloned sk_buff. The rxrpc security operations that process RESPONSE packets (which carry authentication tokens and cryptographic handshake data for the RxRPC security layer) decrypt the payload in-place without first checking whether the sk_buff has been cloned. This violation of COW semantics causes the write to appear across all holders of the shared buffer, meaning any co-resident packet sniffer receives the decrypted - and from its perspective structurally corrupted - frame. While no CWE is formally assigned, the flaw most closely aligns with CWE-362 (Concurrent Execution Using Shared Resource with Improper Synchronization) or CWE-666 (Operation on Resource in Wrong Phase of Lifetime). The fix conditionally copies the sk_buff before passing it to the security handler when a clone is detected. The vulnerable code range runs from commit 17926a79320afa9b95df6b977b40cca6d8713cea (introduced in Linux 2.6.22) up to the per-branch fix commits.

RemediationAI

The primary fix is upgrading to a patched Linux kernel: 6.6.140, 6.12.88, 7.0.4, 6.18.27, or 7.1-rc1. Stable-branch fix commits are confirmed at https://git.kernel.org/stable/c/24481a7f573305706054c59e275371f8d0fe919f (6.6 branch), https://git.kernel.org/stable/c/98a2046d155f73f6cf5d2c493c5e09b4963e2e12 (6.12 branch), https://git.kernel.org/stable/c/c0428a22daf69714dc042b67ea759956b74c74e5 (7.0 branch), https://git.kernel.org/stable/c/ca71ac2de389b01eecdc48bfafbdf073ec232044 (6.18 branch), and https://git.kernel.org/stable/c/d9b93a0f57ca5f6831bfaa34014b6cd705564a00. Ubuntu users should apply updates from USN-8371-1 and USN-8370-1. As a compensating control where an immediate kernel upgrade is not feasible, disabling rxrpc usage by unmounting AFS file systems and preventing AF_RXRPC socket creation (via seccomp profile or AppArmor policy blocking socket(AF_RXRPC, ...)) eliminates the attack surface entirely, though this breaks AFS-dependent workloads. Additionally, restricting CAP_NET_RAW and CAP_NET_ADMIN via namespace isolation or seccomp reduces the likelihood of a co-resident sniffer cloning the vulnerable sk_buff, partially mitigating the credential-exposure aspect while leaving the in-place write issue technically present.

Vendor StatusVendor

SUSE

Severity: Moderate
Product Status
openSUSE Tumbleweed Fixed
SUSE Linux Enterprise Desktop 15 SP7 Affected
SUSE Linux Enterprise Desktop 15 SP7 Affected
SUSE Linux Enterprise High Availability Extension 15 SP7 Affected
SUSE Linux Enterprise High Availability Extension 15 SP7 Affected

Share

CVE-2026-46000 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy