Skip to main content

Linux Kernel CVE-2026-46104

| EUVDEUVD-2026-32863 MEDIUM
2026-05-28 416baaa9-dc9f-4396-8d5f-8c081fb06d67 GHSA-h7hm-vjhc-hcgc
5.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
vuln.today AI
4.7 MEDIUM

AC:H reflects the non-default stacked LSM configuration prerequisite; all other metrics align with local, low-privilege, availability-only impact.

3.1 AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H
4.0 AV:L/AC:H/AT:P/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
SUSE
MEDIUM
qualitative
Red Hat
5.5 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

5
Analysis Generated
Jun 25, 2026 - 21:39 vuln.today
CVSS changed
Jun 25, 2026 - 21:22 NVD
5.5 (MEDIUM)
Patch available
May 28, 2026 - 12:31 EUVD
CVE Published
May 28, 2026 - 10:16 nvd
MEDIUM 5.5
CVE Published
May 28, 2026 - 10:16 nvd
UNKNOWN (no severity yet)

DescriptionNVD

In the Linux kernel, the following vulnerability has been resolved:

selinux: use sk blob accessor in socket permission helpers

SELinux socket state lives in the composite LSM socket blob.

sock_has_perm() and nlmsg_sock_has_extended_perms() currently dereference sk->sk_security directly, which assumes the SELinux socket blob is at offset zero.

In stacked configurations that assumption does not hold. If another LSM allocates socket blob storage before SELinux, these helpers may read the wrong blob and feed invalid SID and class values into AVC checks.

Use selinux_sock() instead of accessing sk->sk_security directly.

AnalysisAI

SELinux socket permission helpers in the Linux kernel misread security blob data in stacked LSM configurations, causing kernel crashes or incorrect AVC (Access Vector Cache) decisions. Specifically, sock_has_perm() and nlmsg_sock_has_extended_perms() dereference sk->sk_security directly under the assumption that the SELinux blob always sits at offset zero, which fails when another LSM allocates socket blob storage ahead of SELinux in a stacked configuration. No public exploit has been identified at time of analysis, EPSS is 0.02%, and patches are available for Linux 6.18.30 and 7.0.7.

Technical ContextAI

The Linux Security Module (LSM) framework supports stacked configurations where multiple LSMs (e.g., SELinux alongside Lockdown, BPF LSM, or AppArmor) share a composite security blob per kernel object. Each LSM's per-object state is stored at a calculated offset within that blob, not necessarily at offset zero. The affected code in the SELinux subsystem - specifically sock_has_perm() and nlmsg_sock_has_extended_perms() - bypasses the selinux_sock() accessor and reads sk->sk_security directly, assuming offset zero. In a stacked configuration where a preceding LSM claims blob storage before SELinux, this direct dereference lands in the wrong LSM's data region. The result is that garbage or foreign SID (Security Identifier) and class values are passed into AVC checks, which can trigger kernel panics or bypass intended policy enforcement. The CWE is not formally assigned, but this is structurally a pointer arithmetic/offset confusion error within kernel shared memory management. Affected product scope per CPE: cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* covering kernel versions from the introduction commit d1d991efaf34606d500dcbd28bedc0666eeec8e2 up to (but not including) the fix commits.

RemediationAI

The primary remediation is upgrading to a patched kernel release: Linux 6.18.30, Linux 7.0.7, or Linux 7.1-rc2 or later. The three upstream fix commits (d350fef4bc2467fe1bce15f7a20fe60e01ce41ad, 032e70aff025d7c519af9ab791cd084380619263, 7eca71f57f194c1638ebb7f4097d6be8fd04c101) are available at https://git.kernel.org/stable/c/ and can be cherry-picked by distribution maintainers into vendor-specific stable trees. As a compensating control where immediate patching is not feasible, administrators can restrict stacked LSM configurations by disabling secondary LSMs that allocate blob storage ahead of SELinux (e.g., unsetting CONFIG_BPF_LSM or adjusting the lsm= kernel boot parameter to list SELinux first), though this may reduce security policy coverage from those secondary LSMs. A second workaround is restricting local user socket creation via existing SELinux policy or network namespace constraints, which reduces the attack surface but does not eliminate the kernel-level bug. No vendor advisory URL beyond the NVD entry (https://nvd.nist.gov/vuln/detail/CVE-2026-46104) and the kernel stable git references was identified at time of analysis.

Vendor StatusVendor

SUSE

Severity: Moderate
Product Status
openSUSE Tumbleweed Fixed
SUSE Linux Enterprise Desktop 15 SP7 Affected
SUSE Linux Enterprise Desktop 15 SP7 Affected
SUSE Linux Enterprise High Availability Extension 15 SP7 Affected
SUSE Linux Enterprise High Availability Extension 15 SP7 Affected

Share

CVE-2026-46104 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy