CVE-2026-46116
A memory safety bug exists in the Linux kernel's IPsec implementation where the xfrm_state subsystem can encounter use-after-free errors when network security policies are deleted or when network namespaces are torn down. The kernel's code was using inconsistent methods to track whether data structures were properly removed from internal lists, causing the same memory region to sometimes be deleted twice. This corrupts kernel memory and can lead to privilege escalation or denial of service on affected systems.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 7.8 HIGH · CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
- Weaknesses (CWE)
- CWE-416, CWE-763
- Affected products
- 3 configuration(s)
- Published / Modified
- 2026-05-28 / 2026-06-30
NVD description (verbatim)
In the Linux kernel, the following vulnerability has been resolved: xfrm: defensively unhash xfrm_state lists in __xfrm_state_delete KASAN reproduces a slab-use-after-free in __xfrm_state_delete()'s hlist_del_rcu calls under syzkaller load on linux-6.12.y stable (reproduced on 6.12.47, also reachable via the same code path on torvalds/master and on the ipsec tree). Nine unique signatures cluster in the xfrm_state lifecycle, the load-bearing one being: BUG: KASAN: slab-use-after-free in __hlist_del include/linux/list.h:990 [inline] BUG: KASAN: slab-use-after-free in hlist_del_rcu include/linux/rculist.h:516 [inline] BUG: KASAN: slab-use-after-free in __xfrm_state_delete net/xfrm/xfrm_state.c Write of size 8 at addr ffff8881198bcb70 by task kworker/u8:9/435 Workqueue: netns cleanup_net Call Trace: __hlist_del / hlist_del_rcu __xfrm_state_delete xfrm_state_delete xfrm_state_flush xfrm_state_fini ops_exit_list cleanup_net The other observed signatures hit the same slab object from __xfrm_state_lookup, xfrm_alloc_spi, __xfrm_state_insert and an OOB write variant of __xfrm_state_delete, all on the byseq/byspi hash chains. __xfrm_state_delete() guards its byseq and byspi unhashes with value-based predicates: if (x->km.seq) hlist_del_rcu(&x->byseq); if (x->id.spi) hlist_del_rcu(&x->byspi); while everywhere else in the file (e.g. state_cache, state_cache_input) the safer hlist_unhashed() check is used. xfrm_alloc_spi() sets x->id.spi = newspi inside xfrm_state_lock and then immediately inserts into byspi, but a path that observes x->id.spi != 0 outside of xfrm_state_lock can still skip-or-hit the byspi unhash inconsistently with whether x is actually on the list. The same holds for x->km.seq versus byseq, and the bydst/bysrc unhashes have no predicate at all, so a second __xfrm_state_delete() on the same object writes through LIST_POISON pprev. The defensive change here: - Use hlist_del_init_rcu() instead of hlist_del_rcu() on bydst, bysrc, byseq and byspi so a second deletion is a no-op rather than a write through LIST_POISON pprev. The byseq/byspi nodes are already initialised in xfrm_state_alloc(). - Test hlist_unhashed() rather than the value predicate for byseq/byspi, so the unhash decision tracks list state rather than mutable scalar fields. Empirical verification: applied this patch on top of v6.12.47, rebuilt, and re-ran the same syzkaller harness for 1h16m on a previously-crashy configuration that produced ~100 hits each of slab-use-after-free Read in xfrm_alloc_spi / Read in __xfrm_state_lookup / Write in __xfrm_state_delete. After the patch, 7.1M execs across 32 VMs at ~1550 exec/sec produced zero xfrm_state UAF/OOB hits. /proc/slabinfo confirms the xfrm_state slab is actively allocated and freed during the run (~143 KiB resident), so the fuzzer is still exercising those code paths -- they just no longer crash. Reproduction: - Linux 6.12.47 x86_64 + KASAN_GENERIC + KASAN_INLINE + KCOV - syzkaller @ 746545b8b1e4c3a128db8652b340d3df90ce61db - 32 QEMU/KVM VMs x 2 vCPU on AWS c5.metal bare metal - 9 unique signatures collected in ~9h, all within xfrm_state lifecycle
10 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-46116 is a use-after-free (CWE-416) and improper check (CWE-763) vulnerability in net/xfrm/xfrm_state.c. The __xfrm_state_delete() function uses value-based predicates (checking if x->km.seq and x->id.spi are non-zero) to decide whether to call hlist_del_rcu() on byseq and byspi hash chains. However, these scalar field checks are unreliable outside of xfrm_state_lock, creating a time-of-check–time-of-use race condition. Additionally, bydst and bysrc chains have no predicate check at all, allowing a second deletion to write through LIST_POISON. The fix replaces hlist_del_rcu() with hlist_del_init_rcu() on all four chains and switches to hlist_unhashed() checks instead of value predicates, ensuring deletions are idempotent and match actual list membership.
Business impact
A local attacker with unprivileged user access can trigger this vulnerability through IPsec policy manipulation or by creating and tearing down network namespaces under load. Exploitation can result in kernel memory corruption leading to privilege escalation to root, data exfiltration from kernel memory (including cryptographic keys and sensitive network state), or denial of service via kernel panic. For organizations running Linux-based network appliances, VPN gateways, or containerized workloads, this threatens confidentiality, integrity, and availability of network security infrastructure and potentially the systems depending on it.
Affected systems
The Linux kernel xfrm subsystem is affected. The vulnerability has been reproduced on linux-6.12.47 and is reachable via the same code path in both the upstream torvalds/master branch and the ipsec tree. Affected systems include any Linux distribution or embedded system running the kernel 6.12.x series (and potentially earlier versions sharing the same xfrm_state code). Systems with IPsec enabled or that use network namespaces (common in containerized environments, OpenStack, Kubernetes, and Docker) are at particular risk.
Exploitability
Exploitability is moderate to high for privileged attacks and user-namespace scenarios. While the CVSS 3.1 vector requires local access (AV:L) and unprivileged user privileges (PR:L), the vulnerability is reliably triggerable under load via syzkaller, indicating deterministic crash conditions exist. In container or namespace isolation contexts where non-root users can manipulate IPsec policies or rapidly create/destroy namespaces, the barrier to exploitation is low. The KEV catalog does not yet list this as actively exploited in the wild, but the predictable nature of the trigger (namespace cleanup under fuzz load) suggests weaponization risk if the vulnerability becomes widely known before patching.
Remediation
Apply kernel updates once vendors release fixed versions. The fix modifies __xfrm_state_delete() to use hlist_del_init_rcu() instead of hlist_del_rcu() for all four hash chains (bydst, bysrc, byseq, byspi), and replaces value-based predicates with hlist_unhashed() checks for byseq and byspi. This defensive approach makes list deletions idempotent—a second deletion becomes a no-op rather than memory corruption. Interim mitigation: disable IPsec if not required, restrict namespace creation to trusted users, and monitor for use-after-free or slab-use-after-free KASAN warnings in kernel logs.
Patch guidance
Monitor upstream Linux repositories and your distribution's security advisories for kernel updates incorporating the xfrm_state defensive deletion patch. Verify against the vendor advisory that patches include explicit use of hlist_del_init_rcu() on all four chains and hlist_unhashed() checks. For long-term support (LTS) kernels (6.1, 6.6, 6.12), track the stable tree backports. Test patched kernels in non-production with your typical IPsec and namespace workloads before rolling out. Given the KASAN testing that confirmed elimination of crashes post-patch, updates should be safe to deploy once available.
Detection guidance
Monitor kernel logs for KASAN warnings matching the signature: 'slab-use-after-free in __hlist_del / hlist_del_rcu in __xfrm_state_delete' or related byseq/byspi/bydst/bysrc anomalies. Syzkaller fuzzing or stress tests exercising network namespace creation/destruction or rapid IPsec policy changes may surface the bug. Systems with KASAN_GENERIC + KASAN_INLINE enabled are most likely to report crashes. In production systems without KASAN, watch for unexplained kernel panics referencing xfrm_state or memory corruption warnings. Behavioral indicators include intermittent denial of service during heavy namespace turnover (e.g., container orchestration events) or sporadic privilege escalation in multi-tenant environments.
Why prioritize this
This vulnerability merits prioritization due to its HIGH severity (CVSS 7.8), demonstrated reliability under fuzz testing, local privilege escalation potential, and presence in widely-deployed kernel versions. The xfrm subsystem is fundamental to IPsec and VPN functionality; corruption in its state management can compromise both the kernel and sensitive cryptographic material. Containers and orchestration platforms that aggressively create/tear down namespaces face elevated risk. The lack of active KEV exploitation does not reduce priority, as the deterministic crash signature lowers the barrier for malicious reproduction once details propagate. Immediate patching should rank above lower-severity CVEs.
Risk score, explained
The CVSS 3.1 score of 7.8 (HIGH) reflects local attack vector (AV:L), low attack complexity (AC:L), low privilege requirements (PR:L), no user interaction, and high impact across confidentiality, integrity, and availability (C:H/I:H/A:H). The score appropriately captures kernel memory corruption leading to privilege escalation and denial of service. The use-after-free and lack of active real-world exploitation slightly reduce practical risk compared to a remotely exploitable critical flaw, but the predictable trigger under fuzz load and prevalence of xfrm in VPN/container infrastructure justify the HIGH classification.
Frequently asked questions
Does this vulnerability require root access to exploit?
No. The CVSS vector specifies PR:L (low privilege), meaning an unprivileged local user (non-root) can trigger it. In container or user-namespace scenarios, the attacker may already be 'local' within a sandbox. However, the exploit requires the ability to manipulate IPsec policies or create/destroy network namespaces, so some administrative capabilities or misconfiguration of namespace permissions increases risk.
Are all Linux distributions affected?
Any distribution shipping a Linux kernel in the 6.12.x branch is affected. The vulnerability also exists in torvalds/master and the ipsec tree, suggesting potential presence in older kernels sharing the same xfrm_state code path, though empirical reproduction was confirmed on 6.12.47. Check your vendor's advisories and kernel version to determine if your distribution has backported the fix.
What is the difference between this vulnerability and a typical use-after-free?
This is a use-after-free in the kernel's internal hash-list management, not in user-facing memory allocation. It corrupts kernel data structures governing network security state, making it particularly dangerous because it affects IPsec policy enforcement and can expose cryptographic material. The defensive fix (using hlist_del_init_rcu and hlist_unhashed checks) prevents double-deletion rather than allocating fresh memory, making it a structural robustness improvement rather than a bounds fix.
If I don't use IPsec, am I safe?
If IPsec is completely disabled in your kernel or never used operationally, exposure is reduced. However, the code path is also triggered during network namespace teardown (even without active IPsec), so container hosts or systems making heavy use of namespaces remain at risk. Verify that IPsec modules are not loaded and namespace churn is minimal to fully mitigate.
This analysis is provided for informational and defensive security purposes. SEC.co does not guarantee the completeness or accuracy of affected version lists—consult vendor security advisories for authoritative patch availability and timelines. No proof-of-concept code or exploitation details are provided. CVSS scores and CWE classifications reflect the provided CVE record; independent risk assessment appropriate to your environment is recommended. This vulnerability has not been confirmed as actively exploited in the wild as of the publication date; however, defensive patching should not be delayed pending real-world sightings. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-10001HIGH
CVE-2026-10001: Chrome Sandbox Escape via PerformanceManager Use-After-Free
- CVE-2026-10002HIGH
CVE-2026-10002: Google Chrome PDFium Use-After-Free Vulnerability (CVSS 8.8)
- CVE-2026-10003HIGH
CVE-2026-10003: Chrome Use-After-Free Code Execution Vulnerability Analysis
- CVE-2026-10007HIGH
CVE-2026-10007: Chrome Use-After-Free in SVG Arbitrary Code Execution (CVSS 8.8)
- CVE-2026-10012HIGH
CVE-2026-10012: Chrome Skia Use-After-Free Sandbox Escape (v148.0.7778.216)
- CVE-2026-10013HIGH
CVE-2026-10013: Use-After-Free in Chrome WebCodecs – Patch Guide & Risk Assessment
- CVE-2026-10016HIGH
CVE-2026-10016: Use-After-Free in Chrome DOM – Sandbox Code Execution Vulnerability
- CVE-2026-10882HIGH
CVE-2026-10882: Critical Chrome Use-After-Free RCE Vulnerability – Exploit Details & Patch Guidance