CVE-2026-46104
Received Received - Intake
SELinux Socket Permission Helper Use-After-Free in Linux Kernel

Publication date: 2026-05-28

Last updated on: 2026-05-28

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: selinux: use sk blob accessor in socket permission helpers SELinux socket state lives in the composite LSM socket blob. sock_has_perm() and nlmsg_sock_has_extended_perms() currently dereference sk->sk_security directly, which assumes the SELinux socket blob is at offset zero. In stacked configurations that assumption does not hold. If another LSM allocates socket blob storage before SELinux, these helpers may read the wrong blob and feed invalid SID and class values into AVC checks. Use selinux_sock() instead of accessing sk->sk_security directly.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-28
Last Modified
2026-05-28
Generated
2026-05-28
AI Q&A
2026-05-28
EPSS Evaluated
N/A
NVD
CVE-2026-46104
EUVD
EUVD-2026-32863
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
linux linux_kernel *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability exists in the Linux kernel's SELinux implementation related to socket permission helpers.

SELinux socket state is stored in a composite LSM socket blob. The functions sock_has_perm() and nlmsg_sock_has_extended_perms() currently access the SELinux socket blob by directly dereferencing sk->sk_security, assuming the SELinux socket blob is at offset zero.

However, in configurations where multiple Linux Security Modules (LSMs) are stacked, this assumption may not hold true. If another LSM allocates socket blob storage before SELinux, these functions may read the wrong blob, resulting in invalid security identifier (SID) and class values being used in access vector cache (AVC) permission checks.

The fix involves using the selinux_sock() accessor function instead of directly accessing sk->sk_security to correctly retrieve the SELinux socket blob.


How can this vulnerability impact me? :

This vulnerability can cause SELinux to perform incorrect permission checks on sockets due to reading invalid security data.

As a result, unauthorized access might be granted or legitimate access denied, potentially leading to security policy enforcement failures.

In environments relying on SELinux for mandatory access control, this could weaken the overall security posture by allowing unintended communication or blocking necessary communication between processes.


What immediate steps should I take to mitigate this vulnerability?

The vulnerability is resolved by using selinux_sock() instead of directly accessing sk->sk_security in the Linux kernel SELinux socket permission helpers.

To mitigate this vulnerability, ensure your Linux kernel is updated to a version that includes this fix.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart