Skip to main content

Linux Kernel CVE-2026-46116

| EUVDEUVD-2026-32875 HIGH
Use After Free (CWE-416)
2026-05-28 416baaa9-dc9f-4396-8d5f-8c081fb06d67 GHSA-96hg-7p79-ggx2
7.8
CVSS 3.1 · Vendor: 416baaa9-dc9f-4396-8d5f-8c081fb06d67
Share

Severity by source

Vendor (416baaa9-dc9f-4396-8d5f-8c081fb06d67) PRIMARY
7.8 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
SUSE
HIGH
qualitative
Red Hat
7.0 HIGH
qualitative

Primary rating from Vendor (416baaa9-dc9f-4396-8d5f-8c081fb06d67).

CVSS VectorVendor: 416baaa9-dc9f-4396-8d5f-8c081fb06d67

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

5
Analysis Generated
May 30, 2026 - 11:51 vuln.today
CVSS changed
May 30, 2026 - 11:22 NVD
7.8 (HIGH)
Patch available
May 28, 2026 - 12:31 EUVD
CVE Published
May 28, 2026 - 10:16 nvd
UNKNOWN (no severity yet)
CVE Published
May 28, 2026 - 10:16 nvd
HIGH 7.8

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

xfrm: defensively unhash xfrm_state lists in __xfrm_state_delete

KASAN reproduces a slab-use-after-free in __xfrm_state_delete()'s hlist_del_rcu calls under syzkaller load on linux-6.12.y stable (reproduced on 6.12.47, also reachable via the same code path on torvalds/master and on the ipsec tree). Nine unique signatures cluster in the xfrm_state lifecycle, the load-bearing one being:

BUG: KASAN: slab-use-after-free in __hlist_del include/linux/list.h:990 [inline] BUG: KASAN: slab-use-after-free in hlist_del_rcu include/linux/rculist.h:516 [inline] BUG: KASAN: slab-use-after-free in __xfrm_state_delete net/xfrm/xfrm_state.c Write of size 8 at addr ffff8881198bcb70 by task kworker/u8:9/435

Workqueue: netns cleanup_net Call Trace: __hlist_del / hlist_del_rcu __xfrm_state_delete xfrm_state_delete xfrm_state_flush xfrm_state_fini ops_exit_list cleanup_net

The other observed signatures hit the same slab object from __xfrm_state_lookup, xfrm_alloc_spi, __xfrm_state_insert and an OOB write variant of __xfrm_state_delete, all on the byseq/byspi hash chains.

__xfrm_state_delete() guards its byseq and byspi unhashes with value-based predicates:

if (x->km.seq) hlist_del_rcu(&x->byseq); if (x->id.spi) hlist_del_rcu(&x->byspi);

while everywhere else in the file (e.g. state_cache, state_cache_input) the safer hlist_unhashed() check is used. xfrm_alloc_spi() sets x->id.spi = newspi inside xfrm_state_lock and then immediately inserts into byspi, but a path that observes x->id.spi != 0 outside of xfrm_state_lock can still skip-or-hit the byspi unhash inconsistently with whether x is actually on the list. The same holds for x->km.seq versus byseq, and the bydst/bysrc unhashes have no predicate at all, so a second __xfrm_state_delete() on the same object writes through LIST_POISON pprev.

The defensive change here:

  • Use hlist_del_init_rcu() instead of hlist_del_rcu() on bydst,

bysrc, byseq and byspi so a second deletion is a no-op rather than a write through LIST_POISON pprev. The byseq/byspi nodes are already initialised in xfrm_state_alloc().

  • Test hlist_unhashed() rather than the value predicate for

byseq/byspi, so the unhash decision tracks list state rather than mutable scalar fields.

Empirical verification: applied this patch on top of v6.12.47, rebuilt, and re-ran the same syzkaller harness for 1h16m on a previously-crashy configuration that produced ~100 hits each of slab-use-after-free Read in xfrm_alloc_spi / Read in __xfrm_state_lookup / Write in __xfrm_state_delete. After the patch, 7.1M execs across 32 VMs at ~1550 exec/sec produced zero xfrm_state UAF/OOB hits. /proc/slabinfo confirms the xfrm_state slab is actively allocated and freed during the run (~143 KiB resident), so the fuzzer is still exercising those code paths -- they just no longer crash.

Reproduction:

  • Linux 6.12.47 x86_64 + KASAN_GENERIC + KASAN_INLINE + KCOV
  • syzkaller @ 746545b8b1e4c3a128db8652b340d3df90ce61db
  • 32 QEMU/KVM VMs x 2 vCPU on AWS c5.metal bare metal
  • 9 unique signatures collected in ~9h, all within xfrm_state

lifecycle

AnalysisAI

Use-after-free in the Linux kernel's xfrm (IPsec) state management subsystem allows local attackers with low privileges to trigger memory corruption via concurrent xfrm_state lifecycle operations. The flaw resides in __xfrm_state_delete() where value-based predicates on x->km.seq and x->id.spi can race with xfrm_alloc_spi() outside of xfrm_state_lock, leading to slab-use-after-free writes through LIST_POISON pointers on the byseq/byspi/bydst/bysrc hash chains. No public exploit identified at time of analysis, and EPSS is very low at 0.02% (5th percentile), but a vendor patch is available.

Technical ContextAI

The vulnerability lies in net/xfrm/xfrm_state.c, the IPsec Security Association (SA) state machine that maintains hash chains (bydst, bysrc, byseq, byspi) for fast lookup of xfrm_state objects. __xfrm_state_delete() used value predicates (if x->km.seq, if x->id.spi) to decide whether to call hlist_del_rcu, rather than the safer hlist_unhashed() check used elsewhere. Because xfrm_alloc_spi() sets x->id.spi inside xfrm_state_lock but other paths observe the field outside the lock, the unhash decision can desync from actual list membership, and double-deletes write through LIST_POISON pprev - a classic CWE-416 (Use After Free) / CWE-362 (race condition) pattern on RCU hash list manipulation. KASAN under syzkaller reproduced nine unique signatures clustering in xfrm_state lifecycle paths including __xfrm_state_lookup, xfrm_alloc_spi, __xfrm_state_insert and __xfrm_state_delete.

RemediationAI

Vendor-released patch: upgrade to Linux 6.6.140, 6.12.88, 7.0.7, or 7.1-rc3 (or any later stable release on those branches), which switch to hlist_del_init_rcu() and hlist_unhashed() checks so that a second deletion becomes a no-op rather than a write through LIST_POISON. Distribution users should pull the corresponding stable backports referenced at https://git.kernel.org/stable/c/14acf9652e5690de3c7486c6db5fb8dafd0a32a3, https://git.kernel.org/stable/c/26edb0a3c99f9d958c212be68b21f1221614dcf0, https://git.kernel.org/stable/c/4980162de555cb838f1a189ce7d2cbf5d2e7b050, https://git.kernel.org/stable/c/a2e2d08fb070fab4947447171f1c4e3ca5a188e5, and https://git.kernel.org/stable/c/b4a53add2fa8f1b5aa17d4c5686c320785fab182. As a compensating control where patching is blocked, restrict access to AF_KEY/XFRM netlink (PF_KEY_V2 / NETLINK_XFRM) by denying CAP_NET_ADMIN to untrusted user namespaces (sysctl kernel.unprivileged_userns_clone=0) and blacklisting xfrm_user via modprobe - note this will break IPsec/IKEv2 (strongSwan, libreswan, WireGuard-over-IPsec) and any container runtime that creates network namespaces requiring xfrm.

Vendor StatusVendor

SUSE

Severity: High
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

CVE-2026-46116 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy