HOMEVULNERABILITIESCVE-2026-46081
HIGH

CVE-2026-46081

Published: May 27, 2026· Updated: May 30, 2026

7.8
CVSS v3.1
EPSS:0.02%probability of exploitation in 30 daysPercentile:4.3th

Official Description

In the Linux kernel, the following vulnerability has been resolved:

crypto: acomp - fix wrong pointer stored by acomp_save_req()

acomp_save_req() stores &req->chain in req->base.data. When

acomp_reqchain_done() is invoked on asynchronous completion, it receives

&req->chain as the data argument but casts it directly to struct

acomp_req. Since data points to the chain member, all subsequent field

accesses are at a wrong offset, resulting in memory corruption.

The issue occurs when an asynchronous hardware implementation, such as

the QAT driver, completes a request that uses the DMA virtual address

interface (e.g. acomp_request_set_src_dma()). This combination causes

crypto_acomp_compress() to enter the acomp_do_req_chain() path, which

sets acomp_reqchain_done() as the completion callback via

acomp_save_req().

With KASAN enabled, this manifests as a general protection fault in

acomp_reqchain_done():

general protection fault, probably for non-canonical address 0xe000040000000000

KASAN: probably user-memory-access in range [0x0000400000000000-0x0000400000000007]

RIP: 0010:acomp_reqchain_done+0x15b/0x4e0

Call Trace:

<IRQ>

qat_comp_alg_callback+0x5d/0xa0 [intel_qat]

adf_ring_response_handler+0x376/0x8b0 [intel_qat]

adf_response_handler+0x60/0x170 [intel_qat]

tasklet_action_common+0x223/0x820

handle_softirqs+0x1ab/0x640

</IRQ>

Fix this by storing the request itself in req->base.data instead of

&req->chain, so that acomp_reqchain_done() receives the correct pointer.

Simplify acomp_restore_req() accordingly to access req->chain directly.

NVD Source

Technical Analysis

CVE-2026-46081 requires local access, meaning attackers must already have a foothold on the target system.

Exploitation requires low privileges, which limits the exposure to scenarios where an attacker has already gained initial access.

A successful exploit results in complete confidentiality breach (data exposure), full integrity compromise (data manipulation), availability disruption (denial of service), with a CVSS base score of 7.8.

CVSS v3.1 Vector Breakdown

Exploitability
Attack VectorLocal
Attack ComplexityLow
Privileges Req.Low
User InteractionNone
ScopeUnchanged
Impact
ConfidentialityHigh
IntegrityHigh
AvailabilityHigh
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Affected Vendors & Products

Mentioned vendors (from description):
LinuxCanonical
CPE data not yet available in NVD for this CVE.

Exploit & PoC Resources

NO KNOWN EXPLOITNo public exploit confirmed at this time
External links open in a new tab. Always verify in a controlled environment before use.

All References (3)

Quick Facts

CVE IDCVE-2026-46081
CVSS Score7.8 / 10
SeverityHIGH
CISA KEVNo
EPSS (30d)0.02%
PublishedMay 27, 2026

Recommended Actions

  • Apply vendor patches immediately
  • Monitor CVE-2026-46081 in threat intel feeds
  • Review IDS/IPS signatures for exploitation attempts
Data sourced from NVD (NIST), CISA KEV, and EPSS (FIRST). Analysis generated by CTIWATCH.COM. CVE data is provided under the NVD usage policy.