CVE-2026-46193

Source
https://cve.org/CVERecord?id=CVE-2026-46193
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-46193.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-46193
Downstream
Related
Published
2026-05-28T09:36:46.611Z
Modified
2026-07-15T01:49:06.498899797Z
Summary
xfrm: ah: account for ESN high bits in async callbacks
Details

In the Linux kernel, the following vulnerability has been resolved:

xfrm: ah: account for ESN high bits in async callbacks

AH allocates its temporary auth/ICV layout differently when ESN is enabled: the async ahash setup appends a 4-byte seqhi slot before the ICV or auth_data area, but the async completion callbacks still reconstruct the temporary layout as if seqhi were absent.

With an async AH implementation selected, that makes AH copy or compare the wrong bytes on both the IPv4 and IPv6 paths. In UML repro on IPv4 AH with ESN and forced async hmac(sha1), ping fails with 100% packet loss, and the callback logs show the pre-fix drift:

ah4 outputdone: esn=1 err=0 icvoff=20 expectedoff=24 ah4 inputdone: esn=1 authoff=20 expectedauthoff=24 icvoff=32 expectedicvoff=36

Reconstruct the callback-side layout the same way the setup path built it by skipping the ESN seqhi slot before locating the saved auth_data or ICV. Per RFC 4302, the ESN high-order 32 bits participate in the AH ICV computation, so the async callbacks must account for the seqhi slot.

Post-fix, the same IPv4 AH+ESN+forced-async-hmac(sha1) UML repro shows the corrected offset (ah4 outputdone: esn=1 err=0 icvoff=24 expected_off=24) and ping succeeds; net/ipv4/ah4.o and net/ipv6/ah6.o build clean at W=1. IPv6 AH+ESN was not exercised at runtime, and the change has not been tested against a real async hardware AH engine.

Database specific
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/46xxx/CVE-2026-46193.json",
    "cna_assigner": "Linux"
}
References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
d4d573d0334d07341beffdcf97e2b85d3955d8ae
Fixed
ec406c26c97594124e79d14516b729a8d5dced62
Fixed
1dae77078ceb4bab833f7a4935f05c5b8c97b9ba
Fixed
0555d4f526232b3c9e3afbcd490c0c0793aefec6
Fixed
729899a2aa8bda7844be0cdcd3b470f11b912eda
Fixed
7db99a09b3bc87268287bc7ab5f2e7f382b5ad87
Fixed
2ffaa7a94f9a4d22724364a1821735a0231d9f8d
Fixed
ec54093e6a8f87e800bb6aa15eb7fc1e33faa524

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-46193.json"

Linux / Kernel

Package

Name
Kernel

Affected ranges

Type
ECOSYSTEM
Events
Introduced
3.15.0
Fixed
5.15.210
Type
ECOSYSTEM
Events
Introduced
5.16.0
Fixed
6.1.176
Type
ECOSYSTEM
Events
Introduced
6.2.0
Fixed
6.6.140
Type
ECOSYSTEM
Events
Introduced
6.7.0
Fixed
6.12.88
Type
ECOSYSTEM
Events
Introduced
6.13.0
Fixed
6.18.30
Type
ECOSYSTEM
Events
Introduced
6.19.0
Fixed
7.0.7

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-46193.json"