MEDIUM 5.5

CVE-2026-46193: Linux Kernel IPsec AH ESN Async Callback Offset Vulnerability

A flaw in the Linux kernel's AH (Authentication Header) implementation causes incorrect packet authentication when Extended Sequence Numbers (ESN) are enabled and async cryptographic operations are used. The kernel miscalculates where authentication data is stored during async callbacks, leading to the comparison of wrong bytes and packet validation failures. This breaks IPsec AH protection on affected systems.

Source data · NVD / CISA · public domain

CVSS
3.1 · 5.5 MEDIUM · CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Weaknesses (CWE)
Affected products
3 configuration(s)
Published / Modified
2026-05-28 / 2026-06-19

NVD description (verbatim)

In the Linux kernel, the following vulnerability has been resolved: xfrm: ah: account for ESN high bits in async callbacks AH allocates its temporary auth/ICV layout differently when ESN is enabled: the async ahash setup appends a 4-byte seqhi slot before the ICV or auth_data area, but the async completion callbacks still reconstruct the temporary layout as if seqhi were absent. With an async AH implementation selected, that makes AH copy or compare the wrong bytes on both the IPv4 and IPv6 paths. In UML repro on IPv4 AH with ESN and forced async hmac(sha1), ping fails with 100% packet loss, and the callback logs show the pre-fix drift: ah4 output_done: esn=1 err=0 icv_off=20 expected_off=24 ah4 input_done: esn=1 auth_off=20 expected_auth_off=24 icv_off=32 expected_icv_off=36 Reconstruct the callback-side layout the same way the setup path built it by skipping the ESN seqhi slot before locating the saved auth_data or ICV. Per RFC 4302, the ESN high-order 32 bits participate in the AH ICV computation, so the async callbacks must account for the seqhi slot. Post-fix, the same IPv4 AH+ESN+forced-async-hmac(sha1) UML repro shows the corrected offset (ah4 output_done: esn=1 err=0 icv_off=24 expected_off=24) and ping succeeds; net/ipv4/ah4.o and net/ipv6/ah6.o build clean at W=1. IPv6 AH+ESN was not exercised at runtime, and the change has not been tested against a real async hardware AH engine.

7 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-46193 addresses a memory layout mismatch in the Linux kernel's xfrm AH subsystem. When ESN is enabled, the async ahash setup prepends a 4-byte seqhi (sequence number high bits) slot before the ICV or auth_data area. However, the async completion callbacks reconstruct the temporary buffer layout without accounting for this offset, causing them to read and compare authentication data from incorrect positions. This affects both IPv4 (ah4) and IPv6 (ah6) code paths. Per RFC 4302, the ESN high-order 32 bits participate in AH ICV computation, so the async path must preserve the seqhi slot position throughout the authentication lifecycle.

Business impact

Systems relying on IPsec AH with ESN and async hardware crypto engines (or forced async implementations) will experience authentication failures on outbound and inbound traffic. This manifests as 100% packet loss in affected traffic flows, effectively disabling IPsec protection for those connections. Organizations using AH for high-assurance network security or VPN endpoints may face complete loss of encrypted tunnel functionality until patched.

Affected systems

The vulnerability affects Linux kernels that implement AH with ESN support when async cryptographic operations are selected or available. This includes systems using hardware-accelerated AH engines and configurations where async hmac-sha1 or similar algorithms are forced. Both IPv4 and IPv6 AH implementations are vulnerable, though IPv6 AH+ESN has not been extensively tested. The issue does not affect synchronous AH implementations or AH without ESN enabled.

Exploitability

Exploitability is limited by several factors. The vulnerability requires local access (AV:L) and specific kernel configuration combining AH with ESN and async crypto paths. It is not remotely triggerable and does not grant privilege escalation or data exfiltration. An attacker cannot weaponize this for confidentiality breaches; the impact is availability-only (denial of IPsec service). However, once the conditions are met, the flaw is trivial to trigger—any AH-protected packet with ESN will fail.

Remediation

Apply the Linux kernel patch that corrects the async callback layout reconstruction to account for the ESN seqhi slot. The fix modifies net/ipv4/ah4.o and net/ipv6/ah6.o to skip the seqhi offset before locating saved auth_data or ICV during callback processing, aligning the callback-side logic with the setup path. Verify the patch against the upstream Linux kernel advisory for exact version applicability.

Patch guidance

Identify kernel versions and distributions affected by checking if AH+ESN with async crypto is in use (verify via kernel config and IPsec policy). Apply the upstream fix from the Linux kernel stable trees covering the xfrm/ah subsystem. Test patched kernels in a staging environment with AH+ESN traffic before production rollout. Organizations should consult their distribution maintainers (Red Hat, Canonical, SUSE, etc.) for backported patches to supported kernel versions. Verify build cleanly at W=1 warnings level post-patch.

Detection guidance

Monitor IPsec AH state machine logs for callback offset mismatches (e.g., 'ah4 output_done: icv_off=20 expected_off=24'). Enable kernel debugging or audit logs for xfrm operations when AH+ESN is active. Test connectivity on AH+ESN tunnels; 100% packet loss is a strong indicator. Correlate IPsec policy audit logs with traffic loss during peak usage. Check kernel version and config: if CONFIG_XFRM and CONFIG_XFRM_AH are enabled with ESN policies in place, assume vulnerability unless patched.

Why prioritize this

This is a medium-severity availability issue affecting a niche but critical subsystem (IPsec AH+ESN). The low CVSS score reflects local-only access and lack of escalation, but organizations actively using AH for VPN or site-to-site encryption should prioritize patching. The flaw is simple to trigger once conditions align, making it a reliability concern for infrastructure that depends on async AH engines. Not a KEV entry, so no active exploitation pressure, but the impact on affected deployments is total.

Risk score, explained

CVSS 5.5 (Medium) reflects AV:L (local attack vector), AC:L (low complexity once conditions met), PR:L (low privilege required), and A:H (high availability impact). The score does not account for the rarity of the vulnerable configuration (AH+ESN+async crypto), which in practice may reduce real-world risk. However, for organizations meeting all three conditions, this is a critical availability issue despite the medium rating.

Frequently asked questions

Does this affect my IPsec setup if I'm not using Extended Sequence Numbers (ESN)?

No. ESN must be enabled in the AH configuration for this flaw to manifest. If your IPsec policies do not include ESN, or if you use synchronous (non-async) AH implementations, you are not affected.

What is the difference between the setup path and the callback path in AH?

The setup path initializes the AH crypto operation and allocates the temporary buffer layout (including the ESN seqhi slot if needed). The callback path runs asynchronously when the hardware or crypto engine completes the operation. This bug is a mismatch: setup allocates with the seqhi slot, but callbacks read from the wrong position because they ignore it.

Can I work around this without patching?

Yes, in the short term: disable async crypto for AH (force synchronous operation via kernel module parameters or policy), or disable ESN in your IPsec policies. Both reduce the vulnerability scope, though the former may impact performance on systems with hardware crypto support. Patching is the proper long-term fix.

Will this affect my encrypted traffic confidentiality if left unpatched?

No. This vulnerability only impacts authentication (availability of the AH integrity check), not confidentiality. However, it will cause AH-protected packets to fail authentication and be dropped, breaking tunnel connectivity.

This analysis is based on the CVE description and kernel patch documentation as of the published date. CVSS scores, patch version numbers, and affected product lists derive from official sources and should be verified against vendor advisories and your specific kernel configuration. No exploit code or proof-of-concept steps are provided. Organizations should test patches in non-production environments before deployment. This vulnerability requires specific configuration (AH + ESN + async crypto) and does not affect all Linux systems. For real-time threat intelligence and distribution-specific guidance, consult your vendor's security advisories. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).