CVE-2026-46193
Received Received - Intake
Buffer Overflow in Linux Kernel XFRM AH

Publication date: 2026-05-28

Last updated on: 2026-05-28

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: xfrm: ah: account for ESN high bits in async callbacks AH allocates its temporary auth/ICV layout differently when ESN is enabled: the async ahash setup appends a 4-byte seqhi slot before the ICV or auth_data area, but the async completion callbacks still reconstruct the temporary layout as if seqhi were absent. With an async AH implementation selected, that makes AH copy or compare the wrong bytes on both the IPv4 and IPv6 paths. In UML repro on IPv4 AH with ESN and forced async hmac(sha1), ping fails with 100% packet loss, and the callback logs show the pre-fix drift: ah4 output_done: esn=1 err=0 icv_off=20 expected_off=24 ah4 input_done: esn=1 auth_off=20 expected_auth_off=24 icv_off=32 expected_icv_off=36 Reconstruct the callback-side layout the same way the setup path built it by skipping the ESN seqhi slot before locating the saved auth_data or ICV. Per RFC 4302, the ESN high-order 32 bits participate in the AH ICV computation, so the async callbacks must account for the seqhi slot. Post-fix, the same IPv4 AH+ESN+forced-async-hmac(sha1) UML repro shows the corrected offset (ah4 output_done: esn=1 err=0 icv_off=24 expected_off=24) and ping succeeds; net/ipv4/ah4.o and net/ipv6/ah6.o build clean at W=1. IPv6 AH+ESN was not exercised at runtime, and the change has not been tested against a real async hardware AH engine.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-28
Last Modified
2026-05-28
Generated
2026-05-28
AI Q&A
2026-05-28
EPSS Evaluated
N/A
NVD
CVE-2026-46193
EUVD
EUVD-2026-32820
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
linux_kernel linux_kernel *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability exists in the Linux kernel's implementation of the Authentication Header (AH) protocol when Extended Sequence Number (ESN) is enabled and asynchronous hashing (async ahash) is used.

The issue arises because the async AH setup adds a 4-byte sequence high (seqhi) slot before the Integrity Check Value (ICV) or authentication data, but the async completion callbacks incorrectly reconstruct the layout as if this seqhi slot were absent.

As a result, AH copies or compares incorrect bytes on both IPv4 and IPv6 paths, leading to failures such as 100% packet loss in certain test scenarios.

The fix involves making the async callbacks reconstruct the layout correctly by accounting for the seqhi slot, aligning with RFC 4302 which states that the ESN high-order 32 bits participate in the AH ICV computation.


How can this vulnerability impact me? :

This vulnerability can cause the Authentication Header (AH) protocol to malfunction when ESN and asynchronous hashing are used, resulting in incorrect authentication checks.

In practical terms, this can lead to communication failures such as 100% packet loss in IPv4 AH with ESN enabled, as the system incorrectly processes authentication data.

Such failures can disrupt secure network communications that rely on AH for integrity and authentication, potentially causing denial of service or loss of connectivity.


How can this vulnerability be detected on my network or system? Can you suggest some commands?

This vulnerability relates to the Linux kernel's handling of AH (Authentication Header) with ESN (Extended Sequence Number) in asynchronous callbacks. Detection involves observing abnormal behavior in AH+ESN traffic, such as packet loss or errors in authentication callbacks.

For example, in a UML (User Mode Linux) environment with IPv4 AH+ESN and forced async hmac(sha1), ping commands may fail with 100% packet loss, and kernel logs may show messages like:

  • ah4 output_done: esn=1 err=0 icv_off=20 expected_off=24
  • ah4 input_done: esn=1 auth_off=20 expected_auth_off=24 icv_off=32 expected_icv_off=36

Monitoring kernel logs for such messages and testing AH+ESN traffic with ping or similar tools can help detect the presence of this vulnerability.


What immediate steps should I take to mitigate this vulnerability?

The vulnerability has been resolved by correcting the async AH implementation to properly account for the ESN seqhi slot in the authentication data layout.

Immediate mitigation steps include:

  • Update the Linux kernel to a version that includes the fix for this vulnerability.
  • Avoid using asynchronous AH implementations with ESN enabled until the fix is applied.
  • Monitor network traffic and kernel logs for signs of AH+ESN authentication failures.

Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart