Skip to main content

Linux Kernel CVE-2026-46193

| EUVDEUVD-2026-32820 MEDIUM
2026-05-28 416baaa9-dc9f-4396-8d5f-8c081fb06d67 GHSA-h5pr-w979-v38m
5.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
vuln.today AI
4.1 MEDIUM

Configuring xfrm AH policies with ESN requires CAP_NET_ADMIN (PR:H), and three non-default conditions must coincide for impact (AC:H); no confidentiality or integrity impact.

3.1 AV:L/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H
4.0 AV:L/AC:H/AT:P/PR:H/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
SUSE
7.0 HIGH
AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
Red Hat
7.0 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

5
Analysis Generated
Jun 10, 2026 - 21:43 vuln.today
CVSS changed
Jun 10, 2026 - 19:22 NVD
5.5 (MEDIUM)
Patch available
May 28, 2026 - 12:01 EUVD
CVE Published
May 28, 2026 - 10:16 nvd
UNKNOWN (no severity yet)
CVE Published
May 28, 2026 - 10:16 nvd
MEDIUM 5.5

DescriptionNVD

In the Linux kernel, the following vulnerability has been resolved:

xfrm: ah: account for ESN high bits in async callbacks

AH allocates its temporary auth/ICV layout differently when ESN is enabled: the async ahash setup appends a 4-byte seqhi slot before the ICV or auth_data area, but the async completion callbacks still reconstruct the temporary layout as if seqhi were absent.

With an async AH implementation selected, that makes AH copy or compare the wrong bytes on both the IPv4 and IPv6 paths. In UML repro on IPv4 AH with ESN and forced async hmac(sha1), ping fails with 100% packet loss, and the callback logs show the pre-fix drift:

ah4 output_done: esn=1 err=0 icv_off=20 expected_off=24 ah4 input_done: esn=1 auth_off=20 expected_auth_off=24 icv_off=32 expected_icv_off=36

Reconstruct the callback-side layout the same way the setup path built it by skipping the ESN seqhi slot before locating the saved auth_data or ICV. Per RFC 4302, the ESN high-order 32 bits participate in the AH ICV computation, so the async callbacks must account for the seqhi slot.

Post-fix, the same IPv4 AH+ESN+forced-async-hmac(sha1) UML repro shows the corrected offset (ah4 output_done: esn=1 err=0 icv_off=24 expected_off=24) and ping succeeds; net/ipv4/ah4.o and net/ipv6/ah6.o build clean at W=1. IPv6 AH+ESN was not exercised at runtime, and the change has not been tested against a real async hardware AH engine.

AnalysisAI

The xfrm AH (Authentication Header) subsystem in the Linux kernel miscalculates ICV buffer offsets during asynchronous callback processing when Extended Sequence Numbers (ESN) are enabled, resulting in 100% packet loss on affected IPsec AH tunnels. Systems running AH with ESN and an async HMAC implementation (confirmed in developer-provided UML repro with forced-async hmac(sha1)) on both IPv4 and IPv6 paths are affected across multiple stable kernel branches going back to the commit introducing ESN async support. No public exploit exists and EPSS sits at 0.02% (5th percentile), reflecting a correctness defect with no exploitation interest rather than a broad attack surface; patch versions are confirmed across six stable branches.

Technical ContextAI

The Linux kernel's xfrm framework implements IPsec protocols including AH (Authentication Header, defined by RFC 4302). When ESN is enabled, RFC 4302 mandates that the high-order 32 bits of the extended sequence number (seqhi) participate in the AH ICV computation. The async ahash setup path correctly prepends a 4-byte seqhi slot before the ICV or auth_data area in the temporary buffer. However, the async completion callbacks (ah4_output_done, ah4_input_done, and their IPv6 equivalents in ah6.o) reconstruct this temporary layout without skipping the seqhi slot, causing them to read and compare bytes at incorrect offsets. The developer's own repro logs document the exact drift: icv_off=20 versus expected_off=24 on the output path, and auth_off=20/icv_off=32 versus expected values of 24/36 on the input path. The root cause is an offset accounting error specific to the ESN+async code path, not present in synchronous AH or non-ESN configurations. Affected products are identified by CPE cpe:2.3:o:linux:linux_kernel:* across all stable branches since the introducing commit d4d573d0334d07341beffdcf97e2b85d3955d8ae, which has been present since Linux 3.15 per EUVD-2026-32820.

RemediationAI

The primary fix is to upgrade to a patched kernel version: 6.6.140, 6.12.88, 6.18.30, 7.0.7, or 7.1-rc3. Upstream stable commits are available at https://git.kernel.org/stable/c/729899a2aa8bda7844be0cdcd3b470f11b912eda (7.0.x branch), https://git.kernel.org/stable/c/7db99a09b3bc87268287bc7ab5f2e7f382b5ad87 (7.1-rc3), https://git.kernel.org/stable/c/0555d4f526232b3c9e3afbcd490c0c0793aefec6, https://git.kernel.org/stable/c/2ffaa7a94f9a4d22724364a1821735a0231d9f8d, and https://git.kernel.org/stable/c/ec54093e6a8f87e800bb6aa15eb7fc1e33faa524. If immediate patching is not possible, three specific compensating controls can eliminate the vulnerable code path without patching: (1) Disable ESN on AH IPsec policies by reconfiguring xfrm policy without the use-esn flag - this trades reduced sequence space (32-bit wraparound risk at high packet rates) for immediate relief; (2) Replace AH with ESP plus an authentication transform, which avoids the affected ah4.o/ah6.o code paths entirely, though this changes the cryptographic policy structure; (3) Avoid async crypto offload by ensuring the kernel selects a synchronous HMAC implementation, preventing the async callback path from being invoked. Note that the commit description explicitly states IPv6 AH+ESN was not runtime-tested, so IPv6 exposure should be treated as present pending independent verification.

Vendor StatusVendor

SUSE

Severity: Important
Product Status
openSUSE Tumbleweed Fixed
SUSE Linux Enterprise Desktop 15 SP7 Affected
SUSE Linux Enterprise Desktop 15 SP7 Affected
SUSE Linux Enterprise High Availability Extension 15 SP7 Affected
SUSE Linux Enterprise High Availability Extension 15 SP7 Affected

Share

CVE-2026-46193 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy