PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-46000 Linux CVE debrief

A vulnerability in the Linux kernel's rxrpc (Remote Procedure Call over Rx) subsystem could allow packet sniffers to observe partially decrypted RESPONSE packets. The issue occurs because security operations that verify RESPONSE packets perform in-place decryption on sk_buff structures that may be shared with packet sniffers. When the sk_buff is cloned (shared), the sniffer would see corrupted packet data—actually the decrypted content—potentially exposing sensitive information or causing confusion in network monitoring tools. The fix ensures that a copy of the packet is handed to the security handler when the packet has been cloned, preventing the in-place decryption from affecting shared buffers.

Vendor
Linux
Product
Unknown
CVSS
Unknown
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-27
Original CVE updated
2026-05-27
Advisory published
2026-05-27
Advisory updated
2026-05-27

Who should care

Organizations running Linux systems with rxrpc-enabled services (AFS file servers, Kerberos deployments), security teams monitoring network traffic on affected systems, kernel maintainers and distribution packagers responsible for stable kernel updates

Technical summary

The rxrpc kernel subsystem handles Remote Procedure Call over Rx protocol, used by services like AFS (Andrew File System) and Kerberos. RESPONSE packets in this protocol undergo security verification that includes in-place decryption of packet contents. The sk_buff (socket buffer) structure used for network packets can be cloned/shared across multiple consumers, including packet sniffers. When security operations decrypted RESPONSE packets in-place on a shared sk_buff, any attached packet sniffer would receive the modified (decrypted) data instead of the original ciphertext. This could expose decrypted protocol contents to unauthorized observers or cause diagnostic confusion. The resolution detects cloned packets and passes a copy to security handlers, preserving the original buffer state for other consumers.

Defensive priority

medium

Recommended defensive actions

  • Apply kernel updates containing the referenced stable commits when available for your distribution
  • Monitor Linux distribution security advisories for backported fixes to affected kernel versions
  • Review network monitoring configurations for systems using rxrpc (AFS, Kerberos) to ensure no sensitive data exposure occurred
  • Consider restricting packet capture capabilities to authorized processes as defense in depth

Evidence notes

The vulnerability description indicates this is a resolved issue in the Linux kernel rxrpc subsystem. The fix involves modifying conn-level packet handling to unshare RESPONSE packets before security operations perform in-place decryption. Multiple stable kernel commits are referenced, suggesting backports to various kernel versions. The issue was published to CVE.org and NVD on 2026-05-27 with status 'Awaiting Analysis'. No CVSS score or severity has been assigned at time of disclosure.

Official resources

2026-05-27