MEDIUM 5.5

CVE-2026-46104

A flaw exists in how the Linux kernel's SELinux security module accesses socket security data when multiple security modules are stacked together. The vulnerability occurs because SELinux directly reads socket security information from a hardcoded memory location, assuming it will always find its own data there. When another security module is loaded first, SELinux reads the wrong data instead, potentially using invalid security identifiers in permission checks. This can cause the kernel to crash due to invalid memory access or improper security decisions.

Source data · NVD / CISA · public domain

CVSS
3.1 · 5.5 MEDIUM · CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Weaknesses (CWE)
Affected products
2 configuration(s)
Published / Modified
2026-05-28 / 2026-06-25

NVD description (verbatim)

In the Linux kernel, the following vulnerability has been resolved: selinux: use sk blob accessor in socket permission helpers SELinux socket state lives in the composite LSM socket blob. sock_has_perm() and nlmsg_sock_has_extended_perms() currently dereference sk->sk_security directly, which assumes the SELinux socket blob is at offset zero. In stacked configurations that assumption does not hold. If another LSM allocates socket blob storage before SELinux, these helpers may read the wrong blob and feed invalid SID and class values into AVC checks. Use selinux_sock() instead of accessing sk->sk_security directly.

3 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-46104 is a SELinux LSM vulnerability in the Linux kernel stemming from incorrect socket blob accessor usage. The functions sock_has_perm() and nlmsg_sock_has_extended_perms() directly dereference sk->sk_security, which assumes the SELinux socket blob occupies offset zero in the composite LSM blob structure. In stacked LSM configurations where another module allocates socket blob storage before SELinux, this assumption fails. These helpers then read attacker-controlled or garbage data from the wrong blob offset, passing invalid SID and class values to AVC permission checks. The fix involves replacing direct pointer dereference with the selinux_sock() accessor function, which correctly handles blob offset calculations in stacked configurations.

Business impact

Organizations running Linux systems with stacked LSM configurations (such as SELinux combined with AppArmor or other modules) face potential denial-of-service conditions through kernel crashes triggered by invalid security checks. Permission enforcement may also be compromised if incorrect security contexts are applied, potentially allowing or denying legitimate operations unpredictably. The impact is primarily availability-focused but carries secondary integrity risks in environments relying on SELinux for mandatory access control.

Affected systems

The Linux kernel is affected. The vulnerability is specific to configurations where SELinux operates alongside other LSM modules in a stacked arrangement. Standard deployments running SELinux alone are not vulnerable because the blob offset assumption holds true. Systems with both SELinux and AppArmor, SELinux and SMACK, or other multi-LSM stacks are at risk. Affected versions require patches to the kernel's SELinux socket permission helper functions.

Exploitability

Exploitation requires local access to the affected system and the ability to trigger socket operations that invoke the vulnerable code paths. The vulnerability cannot be exploited remotely. A local attacker or unprivileged process triggering socket permission checks in a stacked LSM environment can cause kernel panics or trigger unexpected permission denials. The CVSS 3.1 score of 5.5 (Medium) reflects local access requirements and local impact scope, though availability impact is rated high.

Remediation

Apply kernel updates that replace direct sk->sk_security dereferences with the selinux_sock() accessor in socket permission helper functions. System administrators should verify their kernel version against the vendor's advisory for patched releases. The fix is straightforward and poses no compatibility risk; it simply corrects the blob accessor pattern to work correctly in all LSM configurations.

Patch guidance

Verify the patched kernel version against your Linux distribution's security advisory. The fix involves updating socket permission helper functions to use selinux_sock() instead of direct pointer access. Most distributions will provide kernel updates through standard package management tools. Test patches in non-production environments first, especially in systems relying on SELinux for security policy enforcement, to ensure policy evaluation remains consistent.

Detection guidance

Monitor kernel logs and system messages for unexpected permission denials or AVC audit entries from socket operations, particularly in systems with stacked LSMs. Watch for kernel panics or oops messages referencing SELinux socket functions (sock_has_perm, nlmsg_sock_has_extended_perms). Systems not currently running stacked LSM configurations are unaffected and require no immediate monitoring, though they should still apply available patches proactively.

Why prioritize this

Prioritize patching based on your LSM configuration. Systems running SELinux with other LSMs (AppArmor, SMACK, Tomoyo) should treat this as a high-priority kernel update due to direct availability risk. Standard SELinux-only deployments can address this through regular kernel maintenance windows, as the practical attack surface is narrower. The CVSS 5.5 rating is appropriate for local, privilege-required impact, but the criticality in stacked LSM environments justifies accelerated treatment in those architectures.

Risk score, explained

The CVSS 3.1 score of 5.5 (Medium) reflects: Attack Vector = Local (requires system access), Attack Complexity = Low (straightforward triggering of socket operations), Privileges Required = Low (unprivileged users can trigger vulnerable paths), User Interaction = None, Scope = Unchanged, Confidentiality = None, Integrity = None, and Availability = High (kernel crash impact). The score appropriately captures the local-only nature while reflecting significant availability impact. Organizations with stacked LSM security models may consider this more critical than the base score suggests.

Frequently asked questions

Does this vulnerability affect systems running SELinux alone without other LSM modules?

No. The vulnerability only manifests in stacked LSM configurations where another security module loads before SELinux. Single-LSM deployments are not affected by this specific flaw, though patching is still recommended for defense-in-depth and other potential kernel improvements.

Can this vulnerability be exploited remotely?

No, exploitation requires local access to the system. Remote attackers cannot directly trigger the vulnerable code paths. The threat model is limited to local users or processes on the affected system.

What is a stacked LSM configuration?

Stacked LSMs allow multiple Linux Security Modules to operate simultaneously, with each contributing to access control decisions. Examples include SELinux with AppArmor, SELinux with SMACK, or other combinations. Each module maintains its own blob storage, and the kernel manages blob offsets. This vulnerability arises when SELinux incorrectly assumes its blob is always at offset zero.

Will applying the patch break my existing SELinux policy?

No. The patch corrects how SELinux accesses security context data but does not change policy semantics. Existing policies and permission configurations remain valid and effective after patching.

This analysis is based on the CVE record and publicly available vulnerability data as of the publication date. Exploit code and weaponized proof-of-concept information are not included. Patch versions and specific vendor advisories must be verified directly against your Linux distribution's security bulletins. Organizations should test patches in non-production environments before production deployment, particularly those running security-critical stacked LSM configurations. This summary does not constitute professional security advice; consult your systems team and vendor guidance for your specific environment. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).

Affected vendors

Related vulnerabilities