CVE-2026-46033 Linux CVE debrief

Who should care

Linux system administrators, kernel maintainers, container platform operators, and security teams monitoring crypto API attack surface in multi-tenant environments

Technical summary

The authencesn AEAD template in Linux kernel crypto subsystem failed to validate ahash digest sizes during transform instantiation. When combined with algorithms like cbcmac(cipher_null) producing 1-3 byte digests, the resulting transform inherited an invalid default authsize that the ESN encrypt/decrypt paths would use to access 4 bytes of sequence number data at the end of authenticated regions. This caused out-of-bounds memory access. The vulnerability was exploitable through AF_ALG sockets where unprivileged users could instantiate such transforms. The fix enforces minimum 4-byte digest size requirement (or zero) during crypto_authenc_esn_create(), preventing instantiation of vulnerable transform configurations.

Defensive priority

medium

Recommended defensive actions

• Apply kernel updates containing the referenced stable commits when available for your distribution
• Verify crypto API usage does not rely on authencesn with cbcmac(cipher_null) or similar short-digest ahash algorithms
• Monitor vendor security advisories for kernel package updates addressing CVE-2026-46033
• Review AF_ALG socket usage in containerized environments where unprivileged crypto access may be exposed

Evidence notes

CVE description confirms the vulnerability exists in crypto: authencesn and was resolved by rejecting short ahash digests during instance creation. Multiple stable kernel commits are referenced, indicating backports to supported branches. No CVSS score or severity assigned yet per NVD status 'Awaiting Analysis'.

Official resources