HOMEVULNERABILITIESCVE-2026-46193
NONE

CVE-2026-46193

Published: May 28, 2026· Updated: May 28, 2026

EPSS:0.02%probability of exploitation in 30 daysPercentile:5.2th

Official Description

In the Linux kernel, the following vulnerability has been resolved:

xfrm: ah: account for ESN high bits in async callbacks

AH allocates its temporary auth/ICV layout differently when ESN is enabled:

the async ahash setup appends a 4-byte seqhi slot before the ICV or

auth_data area, but the async completion callbacks still reconstruct the

temporary layout as if seqhi were absent.

With an async AH implementation selected, that makes AH copy or compare

the wrong bytes on both the IPv4 and IPv6 paths. In UML repro on IPv4 AH

with ESN and forced async hmac(sha1), ping fails with 100% packet loss,

and the callback logs show the pre-fix drift:

ah4 output_done: esn=1 err=0 icv_off=20 expected_off=24

ah4 input_done: esn=1 auth_off=20 expected_auth_off=24 icv_off=32 expected_icv_off=36

Reconstruct the callback-side layout the same way the setup path built it

by skipping the ESN seqhi slot before locating the saved auth_data or ICV.

Per RFC 4302, the ESN high-order 32 bits participate in the AH ICV

computation, so the async callbacks must account for the seqhi slot.

Post-fix, the same IPv4 AH+ESN+forced-async-hmac(sha1) UML repro shows

the corrected offset (ah4 output_done: esn=1 err=0 icv_off=24

expected_off=24) and ping succeeds; net/ipv4/ah4.o and net/ipv6/ah6.o

build clean at W=1. IPv6 AH+ESN was not exercised at runtime, and the

change has not been tested against a real async hardware AH engine.

NVD Source

Technical Analysis

CVE-2026-46193 requires local access, meaning attackers must already have a foothold on the target system.

Exploitation requires some privileges, which limits the exposure to scenarios where an attacker has already gained initial access.

Affected Vendors & Products

Mentioned vendors (from description):
Linux
CPE data not yet available in NVD for this CVE.

Exploit & PoC Resources

NO KNOWN EXPLOITNo public exploit confirmed at this time
External links open in a new tab. Always verify in a controlled environment before use.

All References (5)

Quick Facts

CVE IDCVE-2026-46193
SeverityNONE
CISA KEVNo
EPSS (30d)0.02%
PublishedMay 28, 2026

Recommended Actions

  • Apply vendor patches immediately
  • Monitor CVE-2026-46193 in threat intel feeds
  • Review IDS/IPS signatures for exploitation attempts
Data sourced from NVD (NIST), CISA KEV, and EPSS (FIRST). Analysis generated by CTIWATCH.COM. CVE data is provided under the NVD usage policy.