CVE-2026-46033
Severity CVSS v4.0:
Pending analysis
Type:
CWE-125
Out-of-bounds Read
Publication date:
27/05/2026
Last modified:
30/06/2026
Description
In the Linux kernel, the following vulnerability has been resolved:<br />
<br />
crypto: authencesn - reject short ahash digests during instance creation<br />
<br />
authencesn requires either a zero authsize or an authsize of at least<br />
4 bytes because the ESN encrypt/decrypt paths always move 4 bytes of<br />
high-order sequence number data at the end of the authenticated data.<br />
<br />
While crypto_authenc_esn_setauthsize() already rejects explicit<br />
non-zero authsizes in the range 1..3, crypto_authenc_esn_create()<br />
still copied auth->digestsize into inst->alg.maxauthsize without<br />
validating it. The AEAD core then initialized the tfm&#39;s default<br />
authsize from that value.<br />
<br />
As a result, selecting an ahash with digest size 1..3, such as<br />
cbcmac(cipher_null), exposed authencesn instances whose default<br />
authsize was invalid even though setauthsize() would have rejected the<br />
same value. AF_ALG could then trigger the ESN tail handling with a<br />
too-short tag and hit an out-of-bounds access.<br />
<br />
Reject authencesn instances whose ahash digest size is in the invalid<br />
non-zero range 1..3 so that no tfm can inherit an unsupported default<br />
authsize.
Impact
Base Score 3.x
7.10
Severity 3.x
HIGH
Vulnerable products and versions
| CPE | From | Up to |
|---|---|---|
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 4.11 (including) | 5.10.258 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 5.11 (including) | 5.15.209 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 5.16 (including) | 6.1.175 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 6.2 (including) | 6.6.140 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 6.7 (including) | 6.12.86 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 6.13 (including) | 6.18.27 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 6.19 (including) | 7.0.4 (excluding) |
| cpe:2.3:o:linux:linux_kernel:7.1:rc1:*:*:*:*:*:* |
To consult the complete list of CPE names with products and versions, see this page
References to Advisories, Solutions, and Tools
- https://git.kernel.org/stable/c/2f31cd1e64a079c845bca31d2da7b3c90a311726
- https://git.kernel.org/stable/c/5db6ef9847717329f12c5ea8aba7e9f588a980c0
- https://git.kernel.org/stable/c/67f1f0933cc3d78dde222842bcad2778ec7a0b88
- https://git.kernel.org/stable/c/77f59fb2d3aa33e90ec6cbbf45dcfb20ab82b1a9
- https://git.kernel.org/stable/c/9aff81e8217e9de2929084b03b3c7f81988c112b
- https://git.kernel.org/stable/c/b42821c15445f93daea3e76ada682b2b7181c476
- https://git.kernel.org/stable/c/b69933e97efea238ebbfcf70c2b1be1cd03f13e3
- https://git.kernel.org/stable/c/d4c6a6d08e70bb1083c7c405fc7faacbf19aebc0
- https://access.redhat.com/security/cve/CVE-2026-46033
- https://bugzilla.redhat.com/show_bug.cgi?id=2482000
- https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-46033.json



