CVE-2026-46193
Gravedad CVSS v3.1:
MEDIA
Tipo:
No Disponible / Otro tipo
Fecha de publicación:
28/05/2026
Última modificación:
19/06/2026
Descripción
*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br />
<br />
xfrm: ah: account for ESN high bits in async callbacks<br />
<br />
AH allocates its temporary auth/ICV layout differently when ESN is enabled:<br />
the async ahash setup appends a 4-byte seqhi slot before the ICV or<br />
auth_data area, but the async completion callbacks still reconstruct the<br />
temporary layout as if seqhi were absent.<br />
<br />
With an async AH implementation selected, that makes AH copy or compare<br />
the wrong bytes on both the IPv4 and IPv6 paths. In UML repro on IPv4 AH<br />
with ESN and forced async hmac(sha1), ping fails with 100% packet loss,<br />
and the callback logs show the pre-fix drift:<br />
<br />
ah4 output_done: esn=1 err=0 icv_off=20 expected_off=24<br />
ah4 input_done: esn=1 auth_off=20 expected_auth_off=24 icv_off=32 expected_icv_off=36<br />
<br />
Reconstruct the callback-side layout the same way the setup path built it<br />
by skipping the ESN seqhi slot before locating the saved auth_data or ICV.<br />
Per RFC 4302, the ESN high-order 32 bits participate in the AH ICV<br />
computation, so the async callbacks must account for the seqhi slot.<br />
<br />
Post-fix, the same IPv4 AH+ESN+forced-async-hmac(sha1) UML repro shows<br />
the corrected offset (ah4 output_done: esn=1 err=0 icv_off=24<br />
expected_off=24) and ping succeeds; net/ipv4/ah4.o and net/ipv6/ah6.o<br />
build clean at W=1. IPv6 AH+ESN was not exercised at runtime, and the<br />
change has not been tested against a real async hardware AH engine.
Impacto
Puntuación base 3.x
5.50
Gravedad 3.x
MEDIA
Productos y versiones vulnerables
| CPE | Desde | Hasta |
|---|---|---|
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 3.15 (incluyendo) | 6.6.140 (excluyendo) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 6.7 (incluyendo) | 6.12.88 (excluyendo) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 6.13 (incluyendo) | 6.18.30 (excluyendo) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 6.19 (incluyendo) | 7.0.7 (excluyendo) |
| cpe:2.3:o:linux:linux_kernel:7.1:rc1:*:*:*:*:*:* | ||
| cpe:2.3:o:linux:linux_kernel:7.1:rc2:*:*:*:*:*:* |
Para consultar la lista completa de nombres de CPE con productos y versiones, ver esta página
Referencias a soluciones, herramientas e información
- https://git.kernel.org/stable/c/0555d4f526232b3c9e3afbcd490c0c0793aefec6
- https://git.kernel.org/stable/c/1dae77078ceb4bab833f7a4935f05c5b8c97b9ba
- https://git.kernel.org/stable/c/2ffaa7a94f9a4d22724364a1821735a0231d9f8d
- https://git.kernel.org/stable/c/729899a2aa8bda7844be0cdcd3b470f11b912eda
- https://git.kernel.org/stable/c/7db99a09b3bc87268287bc7ab5f2e7f382b5ad87
- https://git.kernel.org/stable/c/ec406c26c97594124e79d14516b729a8d5dced62
- https://git.kernel.org/stable/c/ec54093e6a8f87e800bb6aa15eb7fc1e33faa524



