Skip to main content

Linux Kernel EUVDEUVD-2026-32409

| CVE-2026-46028 MEDIUM
2026-05-27 416baaa9-dc9f-4396-8d5f-8c081fb06d67 GHSA-mcp6-p965-q62g
5.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
vuln.today AI
5.5 MEDIUM

Local-only access via AF_ALG socket with low-privilege user; no confidentiality or integrity impact; high availability impact from kernel crash.

3.1 AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
4.0 AV:L/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
SUSE
MEDIUM
qualitative
Red Hat
7.0 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

5
Analysis Generated
Jun 16, 2026 - 16:11 vuln.today
CVSS changed
Jun 16, 2026 - 16:07 NVD
5.5 (MEDIUM)
Patch available
May 27, 2026 - 19:46 EUVD
CVE Published
May 27, 2026 - 14:17 nvd
MEDIUM 5.5
CVE Published
May 27, 2026 - 14:17 nvd
UNKNOWN (no severity yet)

DescriptionNVD

In the Linux kernel, the following vulnerability has been resolved:

crypto: algif_aead - snapshot IV for async AEAD requests

AF_ALG AEAD AIO requests currently use the socket-wide IV buffer during request processing. For async requests, later socket activity can update that shared state before the original request has fully completed, which can lead to inconsistent IV handling.

Snapshot the IV into per-request storage when preparing the AEAD request, so in-flight operations no longer depend on mutable socket state.

AnalysisAI

Race condition in the Linux kernel's AF_ALG AEAD AIO interface allows a local low-privileged user to trigger a denial of service by exploiting shared socket-wide IV buffer state across concurrent asynchronous AEAD requests. The algif_aead subsystem fails to snapshot the Initialization Vector into per-request storage before dispatching async operations, meaning any concurrent socket activity that updates the shared IV can corrupt an in-flight request before it completes. No public exploit has been identified and EPSS is extremely low at 0.02% (7th percentile); vendor-released patches are available across all supported stable kernel branches.

Technical ContextAI

The vulnerability resides in the Linux kernel's AF_ALG (Algorithm) socket interface, specifically the algif_aead module (crypto/algif_aead.c), which exposes kernel cryptographic primitives to userspace via socket operations. AEAD (Authenticated Encryption with Associated Data) algorithms - such as AES-GCM and ChaCha20-Poly1305 - depend on a unique Initialization Vector (IV) per operation to ensure ciphertext uniqueness and integrity. When applications use AIO (Asynchronous I/O) mode with AEAD via AF_ALG, multiple requests can be in-flight simultaneously. The vulnerable code path kept the IV in a single socket-wide buffer rather than copying it into per-request storage at submission time, creating a classic time-of-check/time-of-use race (conceptually CWE-362: Concurrent Execution Using Shared Resource with Improper Synchronization, though no CWE is officially assigned). Any subsequent socket write that modifies the shared IV before the original async operation completes will corrupt that in-flight request's cryptographic context. Affected products are confirmed by CPE cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* across multiple stable series, introduced by commit d887c52d6ae43aeebd249b5f2f1333e60236aa60.

RemediationAI

The primary fix is to upgrade to a patched Linux kernel version: 5.10.254 or later in the 5.10 LTS series, 5.15.204 or later in the 5.15 LTS series, 6.1.170 or later in the 6.1 LTS series, 6.6.137 or later in the 6.6 LTS series, 6.12.85 or later in the 6.12 LTS series, 6.18.27 or later in the 6.18 series, or 7.0.4 or later. Upstream fix commits are available at git.kernel.org/stable/c/08ea39a556ecd39b33c2b4888861001c6706a62e, fa0fcec9b49d58e71df7ede91ecd86855f608e85, and related commits listed in the NVD references. Ubuntu users should apply updates per USN-8351-1 and USN-8350-1 at ubuntu.com/security/notices/. As a compensating control where patching is not immediately possible, restricting unprivileged access to AF_ALG sockets (e.g., via seccomp policy blocking socket(AF_ALG, ...) syscalls, or removing the algif_aead kernel module with rmmod algif_aead if AEAD crypto offload is not required) will eliminate the attack surface - note this will break applications that rely on AF_ALG AEAD offloading. Kernel live-patching solutions (kpatch, livepatch) may be applicable depending on distribution support.

Vendor StatusVendor

SUSE

Severity: Moderate
Product Status
openSUSE Tumbleweed Fixed
SUSE Linux Enterprise Desktop 15 SP7 Affected
SUSE Linux Enterprise Desktop 15 SP7 Affected
SUSE Linux Enterprise High Availability Extension 15 SP7 Affected
SUSE Linux Enterprise High Availability Extension 15 SP7 Affected

Share

EUVD-2026-32409 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy