CVE-2026-46116

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> xfrm: defensively unhash xfrm_state lists in __xfrm_state_delete<br /> <br /> KASAN reproduces a slab-use-after-free in __xfrm_state_delete()&amp;#39;s<br /> hlist_del_rcu calls under syzkaller load on linux-6.12.y stable<br /> (reproduced on 6.12.47, also reachable via the same code path on<br /> torvalds/master and on the ipsec tree). Nine unique signatures cluster<br /> in the xfrm_state lifecycle, the load-bearing one being:<br /> <br /> BUG: KASAN: slab-use-after-free in __hlist_del include/linux/list.h:990 [inline]<br /> BUG: KASAN: slab-use-after-free in hlist_del_rcu include/linux/rculist.h:516 [inline]<br /> BUG: KASAN: slab-use-after-free in __xfrm_state_delete net/xfrm/xfrm_state.c<br /> Write of size 8 at addr ffff8881198bcb70 by task kworker/u8:9/435<br /> <br /> Workqueue: netns cleanup_net<br /> Call Trace:<br /> __hlist_del / hlist_del_rcu<br /> __xfrm_state_delete<br /> xfrm_state_delete<br /> xfrm_state_flush<br /> xfrm_state_fini<br /> ops_exit_list<br /> cleanup_net<br /> <br /> The other observed signatures hit the same slab object from<br /> __xfrm_state_lookup, xfrm_alloc_spi, __xfrm_state_insert and an OOB<br /> write variant of __xfrm_state_delete, all on the byseq/byspi<br /> hash chains.<br /> <br /> __xfrm_state_delete() guards its byseq and byspi unhashes with<br /> value-based predicates:<br /> <br /> if (x-&gt;km.seq)<br /> hlist_del_rcu(&amp;x-&gt;byseq);<br /> if (x-&gt;id.spi)<br /> hlist_del_rcu(&amp;x-&gt;byspi);<br /> <br /> while everywhere else in the file (e.g. state_cache, state_cache_input)<br /> the safer hlist_unhashed() check is used. xfrm_alloc_spi() sets<br /> x-&gt;id.spi = newspi inside xfrm_state_lock and then immediately inserts<br /> into byspi, but a path that observes x-&gt;id.spi != 0 outside of<br /> xfrm_state_lock can still skip-or-hit the byspi unhash inconsistently<br /> with whether x is actually on the list. The same holds for x-&gt;km.seq<br /> versus byseq, and the bydst/bysrc unhashes have no predicate at all,<br /> so a second __xfrm_state_delete() on the same object writes through<br /> LIST_POISON pprev.<br /> <br /> The defensive change here:<br /> <br /> - Use hlist_del_init_rcu() instead of hlist_del_rcu() on bydst,<br /> bysrc, byseq and byspi so a second deletion is a no-op rather<br /> than a write through LIST_POISON pprev. The byseq/byspi nodes<br /> are already initialised in xfrm_state_alloc().<br /> - Test hlist_unhashed() rather than the value predicate for<br /> byseq/byspi, so the unhash decision tracks list state rather than<br /> mutable scalar fields.<br /> <br /> Empirical verification: applied this patch on top of v6.12.47, rebuilt,<br /> and re-ran the same syzkaller harness for 1h16m on a previously-crashy<br /> configuration that produced ~100 hits each of slab-use-after-free<br /> Read in xfrm_alloc_spi / Read in __xfrm_state_lookup / Write in<br /> __xfrm_state_delete. After the patch, 7.1M execs across 32 VMs at<br /> ~1550 exec/sec produced zero xfrm_state UAF/OOB hits. /proc/slabinfo<br /> confirms the xfrm_state slab is actively allocated and freed during<br /> the run (~143 KiB resident), so the fuzzer is still exercising those<br /> code paths -- they just no longer crash.<br /> <br /> Reproduction:<br /> <br /> - Linux 6.12.47 x86_64 + KASAN_GENERIC + KASAN_INLINE + KCOV<br /> - syzkaller @ 746545b8b1e4c3a128db8652b340d3df90ce61db<br /> - 32 QEMU/KVM VMs x 2 vCPU on AWS c5.metal bare metal<br /> - 9 unique signatures collected in ~9h, all within xfrm_state<br /> lifecycle