Skip to main content

Linux Kernel CVE-2026-46039

| EUVDEUVD-2026-32420 CRITICAL
Integer Overflow or Wraparound (CWE-190)
2026-05-27 416baaa9-dc9f-4396-8d5f-8c081fb06d67 GHSA-8p5g-g3v4-xpm6
Critical
Disputed · 9.8 Vendor: 416baaa9-dc9f-4396-8d5f-8c081fb06d67
Share

Severity by source

Sources disagree (Medium–Critical)
Vendor (416baaa9-dc9f-4396-8d5f-8c081fb06d67) PRIMARY
9.8 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
SUSE
CRITICAL
qualitative
Red Hat
7.0 MEDIUM
qualitative

vuln.today treats the vendor’s rating as authoritative. A higher third-party CVSS (e.g. CISA-ADP) is shown for transparency but does not drive the headline severity.

CVSS VectorVendor: 416baaa9-dc9f-4396-8d5f-8c081fb06d67

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

5
Analysis Generated
May 30, 2026 - 11:39 vuln.today
CVSS changed
May 30, 2026 - 11:22 NVD
9.8 (CRITICAL)
Patch available
May 27, 2026 - 19:46 EUVD
CVE Published
May 27, 2026 - 14:17 nvd
CRITICAL 9.8
CVE Published
May 27, 2026 - 14:17 nvd
UNKNOWN (no severity yet)

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

rxgk: Fix potential integer overflow in length check

Fix potential integer overflow in rxgk_extract_token() when checking the length of the ticket. Rather than rounding up the value to be tested (which might overflow), round down the size of the available data.

AnalysisAI

Integer overflow in the Linux kernel's rxgk (RxRPC GSS Kerberos) token extraction routine allows remote attackers to potentially trigger memory corruption via length-check bypass in rxgk_extract_token(). The flaw affects Linux kernel versions in the 6.16.9-to-6.17 range and was fixed by changing the validation to round down available data instead of rounding up the tested value. No public exploit identified at time of analysis and EPSS exploitation probability is very low at 0.02%.

Technical ContextAI

The vulnerability resides in the rxgk (RxRPC Generic Security Services Kerberos) subsystem of the Linux kernel, which provides authentication for the AFS (Andrew File System) protocol over RxRPC transport. Specifically, rxgk_extract_token() performed a length check on an incoming ticket where the size value was rounded up before comparison, creating an arithmetic boundary condition where a crafted oversized value could wrap around the integer type and pass the check. This is a classic CWE-190 (Integer Overflow or Wraparound) pattern, despite NVD listing CWE as N/A; the fix inverts the arithmetic to round down the available buffer size, making the comparison safe against attacker-controlled token lengths.

RemediationAI

Upstream fix available via the linked git.kernel.org commits (183d37f1, 43222ac4, 6929350080); released patched versions per EUVD are Linux 6.18.27, 7.0.4, and 7.1-rc1, so upgrade to one of these or to your distribution's backported kernel as soon as your vendor publishes it (track Red Hat, SUSE, Ubuntu, and Debian security trackers for CVE-2026-46039). If patching is delayed, the most effective compensating control is to ensure the rxrpc kernel module is not loaded and is blacklisted (echo 'blacklist rxrpc' into /etc/modprobe.d/) on systems that do not require AFS - the side effect is that AFS/kAFS clients and servers will fail. Where AFS is required, restrict RxRPC traffic (UDP port 7000-7009 range typically) to trusted networks via host or perimeter firewalls until the kernel is updated; this preserves intra-cluster AFS while removing exposure to untrusted networks.

Vendor StatusVendor

SUSE

Severity: Critical
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

CVE-2026-46039 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy