Skip to main content

Linux Kernel CVE-2026-46101

| EUVDEUVD-2026-32484 MEDIUM
2026-05-27 416baaa9-dc9f-4396-8d5f-8c081fb06d67 GHSA-8x7w-42q6-mv4p
5.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
vuln.today AI
5.5 MEDIUM

Local access and low privileges (CAP_NET_ADMIN or user namespace) required to load nftables rules; impact is kernel crash only, no confidentiality or integrity loss.

3.1 AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
4.0 AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
SUSE
6.6 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:H
Red Hat
5.5 LOW
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

5
Analysis Generated
Jun 25, 2026 - 21:38 vuln.today
CVSS changed
Jun 25, 2026 - 21:22 NVD
5.5 (MEDIUM)
Patch available
May 27, 2026 - 19:46 EUVD
CVE Published
May 27, 2026 - 14:17 nvd
MEDIUM 5.5
CVE Published
May 27, 2026 - 14:17 nvd
UNKNOWN (no severity yet)

DescriptionNVD

In the Linux kernel, the following vulnerability has been resolved:

netfilter: reject zero shift in nft_bitwise

Reject zero shift operands for nft_bitwise left and right shift expressions during initialization.

The carry propagation logic computes the carry from the adjacent 32-bit word using BITS_PER_TYPE(u32) - shift. A zero shift operand turns this into a 32-bit shift, which is undefined behaviour.

Reject zero shift operands in the control plane, alongside the existing check for values greater than or equal to 32, so malformed rules never reach the packet path.

AnalysisAI

Undefined behavior in the Linux kernel's nftables bitwise expression handler allows a local attacker with low privileges to crash the kernel. The nft_bitwise subsystem failed to reject zero-value shift operands during rule initialization; a zero shift causes the carry propagation formula (BITS_PER_TYPE(u32) - shift = 32 - 0 = 32) to perform a 32-bit shift of a 32-bit type, which is undefined behavior in C and can result in a kernel panic. No public exploit is identified at time of analysis, and EPSS at 0.02% (5th percentile) indicates very low automated exploitation activity, consistent with the local-only attack vector requiring nftables configuration privileges.

Technical ContextAI

The vulnerability resides in the Linux kernel's netfilter subsystem, specifically the nft_bitwise expression handler (net/netfilter/nft_bitwise.c), which implements bitwise left and right shift operations for nftables packet-matching rules. When computing carry propagation across adjacent 32-bit words, the code calculates BITS_PER_TYPE(u32) - shift; with a zero shift operand, this yields a 32-bit right or left shift of a uint32_t value. Per the C standard, shifting a value by an amount equal to or greater than the width of the type is undefined behavior - the compiler may silently produce incorrect values or trigger an oops/panic. The fix adds a validation gate during control-plane initialization (before rules reach the packet path) to reject zero shift operands alongside the pre-existing rejection of values >= 32. The vulnerability was introduced at commit 567d746b55bc66d3800c9ae91d50f0c5deb2fd93 (present since Linux 5.6) and is confirmed across CPE cpe:2.3:o:linux:linux_kernel across multiple stable branches. No CWE is formally assigned, but the root cause maps conceptually to CWE-1335 (Incorrect Bitwise Shift of Integer) or CWE-758 (Reliance on Undefined, Unspecified, or Implementation-Defined Behavior).

RemediationAI

The primary fix is to upgrade to a patched kernel version: 6.6.140 or later for the 6.6 LTS branch, 6.12.86 or later for the 6.12 LTS branch, 7.0.4 or later for the 7.0 branch, or 7.1-rc2 or later for mainline. Patches are available via kernel.org stable trees at https://git.kernel.org/stable/c/6f820139d16a4c9865a145d4a9cf9c92cc632c14 and related commits. For systems where immediate kernel upgrade is not feasible, two compensating controls reduce exposure: first, disable unprivileged user namespaces (sysctl -w kernel.unprivileged_userns_clone=0 on systems that support it, or kernel.userns_max=0), which prevents non-root users from obtaining CAP_NET_ADMIN - note this breaks container runtimes that rely on rootless operation (Docker rootless, Podman, etc.); second, restrict direct CAP_NET_ADMIN grants to only explicitly trusted users and services. Blocking nftables rule creation entirely via AppArmor or SELinux policy for untrusted users is also effective but may impact legitimate network management tooling. Distributions using nftables as the default firewall backend (Debian 10+, Ubuntu 20.04+, RHEL 8+) should be prioritized for patching.

Vendor StatusVendor

SUSE

Severity: Moderate
Product Status
openSUSE Tumbleweed Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Affected
SUSE Linux Enterprise Module for Basesystem 15 SP7 Affected
SUSE Linux Enterprise Server 15 SP7 Affected
SUSE Linux Enterprise Desktop 15 SP7 Affected

Share

CVE-2026-46101 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy