CVE-2026-46033

Severity CVSS v4.0:
Pending analysis
Type:
CWE-125 Out-of-bounds Read
Publication date:
27/05/2026
Last modified:
30/06/2026

Description

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> crypto: authencesn - reject short ahash digests during instance creation<br /> <br /> authencesn requires either a zero authsize or an authsize of at least<br /> 4 bytes because the ESN encrypt/decrypt paths always move 4 bytes of<br /> high-order sequence number data at the end of the authenticated data.<br /> <br /> While crypto_authenc_esn_setauthsize() already rejects explicit<br /> non-zero authsizes in the range 1..3, crypto_authenc_esn_create()<br /> still copied auth-&gt;digestsize into inst-&gt;alg.maxauthsize without<br /> validating it. The AEAD core then initialized the tfm&amp;#39;s default<br /> authsize from that value.<br /> <br /> As a result, selecting an ahash with digest size 1..3, such as<br /> cbcmac(cipher_null), exposed authencesn instances whose default<br /> authsize was invalid even though setauthsize() would have rejected the<br /> same value. AF_ALG could then trigger the ESN tail handling with a<br /> too-short tag and hit an out-of-bounds access.<br /> <br /> Reject authencesn instances whose ahash digest size is in the invalid<br /> non-zero range 1..3 so that no tfm can inherit an unsupported default<br /> authsize.

Vulnerable products and versions

CPE From Up to
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 4.11 (including) 5.10.258 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 5.11 (including) 5.15.209 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 5.16 (including) 6.1.175 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 6.2 (including) 6.6.140 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 6.7 (including) 6.12.86 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 6.13 (including) 6.18.27 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 6.19 (including) 7.0.4 (excluding)
cpe:2.3:o:linux:linux_kernel:7.1:rc1:*:*:*:*:*:*