HOMEVULNERABILITIESCVE-2026-46116
HIGH

CVE-2026-46116

Published: May 28, 2026· Updated: May 30, 2026

7.8
CVSS v3.1
EPSS:0.02%probability of exploitation in 30 daysPercentile:5.2th

Official Description

In the Linux kernel, the following vulnerability has been resolved:

xfrm: defensively unhash xfrm_state lists in __xfrm_state_delete

KASAN reproduces a slab-use-after-free in __xfrm_state_delete()'s

hlist_del_rcu calls under syzkaller load on linux-6.12.y stable

(reproduced on 6.12.47, also reachable via the same code path on

torvalds/master and on the ipsec tree). Nine unique signatures cluster

in the xfrm_state lifecycle, the load-bearing one being:

BUG: KASAN: slab-use-after-free in __hlist_del include/linux/list.h:990 [inline]

BUG: KASAN: slab-use-after-free in hlist_del_rcu include/linux/rculist.h:516 [inline]

BUG: KASAN: slab-use-after-free in __xfrm_state_delete net/xfrm/xfrm_state.c

Write of size 8 at addr ffff8881198bcb70 by task kworker/u8:9/435

Workqueue: netns cleanup_net

Call Trace:

__hlist_del / hlist_del_rcu

__xfrm_state_delete

xfrm_state_delete

xfrm_state_flush

xfrm_state_fini

ops_exit_list

cleanup_net

The other observed signatures hit the same slab object from

__xfrm_state_lookup, xfrm_alloc_spi, __xfrm_state_insert and an OOB

write variant of __xfrm_state_delete, all on the byseq/byspi

hash chains.

__xfrm_state_delete() guards its byseq and byspi unhashes with

value-based predicates:

if (x->km.seq)

hlist_del_rcu(&x->byseq);

if (x->id.spi)

hlist_del_rcu(&x->byspi);

while everywhere else in the file (e.g. state_cache, state_cache_input)

the safer hlist_unhashed() check is used. xfrm_alloc_spi() sets

x->id.spi = newspi inside xfrm_state_lock and then immediately inserts

into byspi, but a path that observes x->id.spi != 0 outside of

xfrm_state_lock can still skip-or-hit the byspi unhash inconsistently

with whether x is actually on the list. The same holds for x->km.seq

versus byseq, and the bydst/bysrc unhashes have no predicate at all,

so a second __xfrm_state_delete() on the same object writes through

LIST_POISON pprev.

The defensive change here:

- Use hlist_del_init_rcu() instead of hlist_del_rcu() on bydst,

bysrc, byseq and byspi so a second deletion is a no-op rather

than a write through LIST_POISON pprev. The byseq/byspi nodes

are already initialised in xfrm_state_alloc().

- Test hlist_unhashed() rather than the value predicate for

byseq/byspi, so the unhash decision tracks list state rather than

mutable scalar fields.

Empirical verification: applied this patch on top of v6.12.47, rebuilt,

and re-ran the same syzkaller harness for 1h16m on a previously-crashy

configuration that produced ~100 hits each of slab-use-after-free

Read in xfrm_alloc_spi / Read in __xfrm_state_lookup / Write in

__xfrm_state_delete. After the patch, 7.1M execs across 32 VMs at

~1550 exec/sec produced zero xfrm_state UAF/OOB hits. /proc/slabinfo

confirms the xfrm_state slab is actively allocated and freed during

the run (~143 KiB resident), so the fuzzer is still exercising those

code paths -- they just no longer crash.

Reproduction:

- Linux 6.12.47 x86_64 + KASAN_GENERIC + KASAN_INLINE + KCOV

- syzkaller @ 746545b8b1e4c3a128db8652b340d3df90ce61db

- 32 QEMU/KVM VMs x 2 vCPU on AWS c5.metal bare metal

- 9 unique signatures collected in ~9h, all within xfrm_state

lifecycle

NVD Source

Technical Analysis

CVE-2026-46116 requires local access, meaning attackers must already have a foothold on the target system.

Exploitation requires low privileges, which limits the exposure to scenarios where an attacker has already gained initial access.

A successful exploit results in complete confidentiality breach (data exposure), full integrity compromise (data manipulation), availability disruption (denial of service), with a CVSS base score of 7.8.

CVSS v3.1 Vector Breakdown

Exploitability
Attack VectorLocal
Attack ComplexityLow
Privileges Req.Low
User InteractionNone
ScopeUnchanged
Impact
ConfidentialityHigh
IntegrityHigh
AvailabilityHigh
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Affected Vendors & Products

Mentioned vendors (from description):
Linux
CPE data not yet available in NVD for this CVE.

Exploit & PoC Resources

NO KNOWN EXPLOITNo public exploit confirmed at this time
External links open in a new tab. Always verify in a controlled environment before use.

All References (5)

Quick Facts

CVE IDCVE-2026-46116
CVSS Score7.8 / 10
SeverityHIGH
CISA KEVNo
EPSS (30d)0.02%
PublishedMay 28, 2026

Recommended Actions

  • Apply vendor patches immediately
  • Monitor CVE-2026-46116 in threat intel feeds
  • Review IDS/IPS signatures for exploitation attempts
Data sourced from NVD (NIST), CISA KEV, and EPSS (FIRST). Analysis generated by CTIWATCH.COM. CVE data is provided under the NVD usage policy.