CVE-2026-46104 Linux CVE debrief

Who should care

Organizations running Linux with SELinux enabled alongside other LSMs (stacked configurations), kernel maintainers, distribution security teams, and systems requiring strict mandatory access control enforcement.

Technical summary

The vulnerability exists in SELinux's socket permission checking code. Two helper functions—`sock_has_perm()` and `nlmsg_sock_has_extended_perms()`—directly accessed `sk->sk_security` to retrieve SELinux security state. In Linux Security Module (LSM) stacking configurations, socket blobs are composite structures where multiple LSMs may allocate storage. Direct offset-zero access fails when another LSM allocates first, causing SELinux to read another LSM's blob data. This corruption feeds garbage SID (security identifier) and class values into the AVC (access vector cache), potentially resulting in incorrect permission grants or denials. The resolution uses `selinux_sock()`, the proper accessor that calculates SELinux's blob offset dynamically.

Defensive priority

medium

Recommended defensive actions

• Review kernel SELinux configurations for stacked LSM deployments
• Apply kernel updates containing commits 032e70aff025d7c519af9ab791cd084380619263, 7eca71f57f194c1638ebb7f4097d6be8fd04c101, or d350fef4bc2467fe1bce15f7a20fe60e01ce41ad
• Monitor for kernel stable releases incorporating this fix
• Audit systems using multiple LSMs (e.g., SELinux with AppArmor or Smack) for potential security policy bypasses

Evidence notes

CVE published 2026-05-28T10:16:25.757Z. Kernel commit references provided for stable branches. No CVSS score or severity assigned by NVD at time of disclosure.

Official resources