PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-46116 Linux CVE debrief

A slab-use-after-free vulnerability in the Linux kernel's XFRM (IPsec) state management code allows use-after-free reads and out-of-bounds writes during xfrm_state object teardown. The root cause is inconsistent list-unhashing logic in __xfrm_state_delete(), where value-based predicates (x->km.seq and x->id.spi) rather than actual list membership checks determine whether to remove entries from byseq and byspi hash chains. Combined with unguarded bydst/bysrc unhashes, this permits double-delete scenarios that write through LIST_POISON pointers. The vulnerability was reproducible under syzkaller fuzzing on Linux 6.12.47 and mainline, manifesting as KASAN-detected slab-use-after-free in __hlist_del, __xfrm_state_lookup, xfrm_alloc_spi, and related paths. The fix adopts defensive hlist_del_init_rcu() for all four hash chains and replaces value predicates with hlist_unhashed() checks for byseq/byspi, ensuring unhash decisions track actual list state. Empirical verification showed zero crashes across 7.1 million executions post-patch versus ~100 hits pre-patch.

Vendor
Linux
Product
Unknown
CVSS
HIGH 7.8
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-28
Original CVE updated
2026-05-30
Advisory published
2026-05-28
Advisory updated
2026-05-30

Who should care

Linux kernel maintainers and distributors; organizations running IPsec VPNs, encrypted container networking, or XFRM-based traffic policies on affected kernel versions; cloud providers with multi-tenant network namespace isolation

Technical summary

The XFRM subsystem's __xfrm_state_delete() function used value-based predicates (x->km.seq and x->id.spi) to conditionally unhash entries from byseq and byspi hash chains, while bydst and bysrc unhashes lacked any membership check. This created a race window where list state and predicate values could diverge, enabling double-delete operations that write through LIST_POISON pprev pointers. The vulnerability is reachable during network namespace teardown (cleanup_net workqueue) and other xfrm_state_flush paths. The fix replaces hlist_del_rcu() with hlist_del_init_rcu() for all four hash chains and substitutes hlist_unhashed() checks for the value predicates, ensuring idempotent, state-consistent unhashing.

Defensive priority

high

Recommended defensive actions

  • Apply kernel patches from stable trees (6.12.y and applicable stable branches) containing commit 14acf9652e5690de3c7486c6db5fb8dafd0a32a3 or equivalent backports
  • Prioritize patching systems running IPsec/XFRM with untrusted or fuzzed network inputs, particularly those exposed to container/namespace churn where cleanup_net workqueue paths are exercised
  • Monitor for stable kernel updates addressing this fix if running 6.12.47 or earlier with XFRM enabled
  • Review custom XFRM state management code for similar list-unhashing patterns that rely on value predicates rather than hlist_unhashed() checks

Evidence notes

CVE description confirms KASAN slab-use-after-free in __xfrm_state_delete under syzkaller load on 6.12.47 and mainline. Nine unique signatures cluster in xfrm_state lifecycle. Root cause identified as value-based unhash predicates (x->km.seq, x->id.spi) inconsistent with actual list membership, plus unguarded bydst/bysrc unhashes enabling double-delete through LIST_POISON. Fix verified: 7.1M execs at ~1550 exec/sec across 32 VMs produced zero UAF/OOB hits post-patch.

Official resources

2026-05-28