CVE-2026-46116: Linux Kernel Use-After-Free Vulnerability

CVE-2026-46116 Overview

CVE-2026-46116 is a slab use-after-free vulnerability in the Linux kernel's IPsec xfrm subsystem. The flaw resides in __xfrm_state_delete() within net/xfrm/xfrm_state.c and was reproduced under syzkaller fuzzing against Linux 6.12.47 with KASAN enabled. The function uses value-based predicates on x->km.seq and x->id.spi to decide whether to unhash an xfrm_state from the byseq and byspi hash chains, while bydst and bysrc unhashes have no predicate at all. A second deletion of the same object can write through LIST_POISONpprev, leading to memory corruption in the kernel's network namespace cleanup path.

Critical Impact

A use-after-free in kernel network code can lead to kernel memory corruption, denial of service, and potentially local privilege escalation when triggered through the xfrm_state lifecycle.

Affected Products

• Linux kernel 6.12.y stable series (reproduced on 6.12.47)
• Linux kernel mainline (torvalds/master) at time of reporting
• Linux ipsec tree at time of reporting

Discovery Timeline

• 2026-05-28 - CVE-2026-46116 published to NVD
• 2026-05-28 - Last updated in NVD database

Technical Details for CVE-2026-46116

Vulnerability Analysis

The defect is a use-after-free [CWE-416] in the Linux kernel xfrm (IPsec transform) state management code. KASAN reported nine unique signatures clustered in the xfrm_state lifecycle. The load-bearing signature is a write of size 8 in __hlist_del reached through hlist_del_rcu from __xfrm_state_delete, observed during cleanup_net workqueue processing.

The call chain is cleanup_net → ops_exit_list → xfrm_state_fini → xfrm_state_flush → xfrm_state_delete → __xfrm_state_delete. Additional signatures reach the same slab object via __xfrm_state_lookup, xfrm_alloc_spi, and __xfrm_state_insert, plus an out-of-bounds write variant of __xfrm_state_delete, all on the byseq and byspi hash chains.

Root Cause

The __xfrm_state_delete() function guards byseq and byspi unhashes with value-based predicates rather than list-state predicates. The code checks if (x->km.seq) before calling hlist_del_rcu(&x->byseq) and if (x->id.spi) before calling hlist_del_rcu(&x->byspi). Elsewhere in the file the safer hlist_unhashed() check is used. xfrm_alloc_spi() sets x->id.spi = newspi inside xfrm_state_lock and immediately inserts into byspi, but a path observing x->id.spi != 0 outside xfrm_state_lock can skip or perform the byspi unhash inconsistently with whether x is actually on the list. The bydst and bysrc unhashes have no predicate at all, so a second __xfrm_state_delete() on the same object writes through LIST_POISONpprev.

Attack Vector

The vulnerability is reachable through normal xfrm_state lifecycle operations exercised by IPsec configuration interfaces. Syzkaller reproduced the crash by fuzzing those interfaces from within a network namespace. A local user with the ability to manipulate IPsec state, or workloads that race state creation and deletion across namespaces, can drive the inconsistent path. Refer to the kernel commits in the upstream references for the precise code paths.

Detection Methods for CVE-2026-46116

Indicators of Compromise

• Kernel KASAN reports containing slab-use-after-free in __hlist_del or hlist_del_rcu with __xfrm_state_delete on the call stack.
• Unexpected kernel oops or panic traces referencing xfrm_state_flush, xfrm_state_fini, or cleanup_net in the workqueue context kworker/u*:*.
• KASAN reads in xfrm_alloc_spi or __xfrm_state_lookup targeting freed xfrm_state slab objects.

Detection Strategies

• Enable CONFIG_KASAN_GENERIC and CONFIG_KASAN_INLINE on test kernels to surface the use-after-free at the point of corruption.
• Monitor /var/log/kern.log and dmesg for BUG: KASAN entries citing net/xfrm/xfrm_state.c.
• Audit running kernel versions against the patched stable releases listed in the kernel.org commits referenced for this CVE.

Monitoring Recommendations

• Forward kernel logs to a centralized log store and alert on KASAN, general protection fault, or LIST_POISON strings.
• Track frequency of network namespace creation and teardown on multi-tenant hosts where containerized workloads use IPsec.
• Inventory IPsec policy and SA churn rates through ip xfrm state and ip xfrm policy audits to identify hosts exercising the vulnerable code paths.

How to Mitigate CVE-2026-46116

Immediate Actions Required

• Apply the upstream patches referenced under the kernel.org commits for this CVE on all affected kernels.
• Rebuild and deploy patched kernel packages from your distribution as they become available for the 6.12.y stable series and mainline.
• Restrict CAP_NET_ADMIN and user namespace creation for untrusted users on hosts running unpatched kernels.

Patch Information

The fix replaces hlist_del_rcu() with hlist_del_init_rcu() on the bydst, bysrc, byseq, and byspi chains so a second deletion becomes a no-op rather than a write through LIST_POISONpprev. It also replaces value-based predicates with hlist_unhashed() so unhash decisions track list state rather than mutable scalar fields. The byseq and byspi nodes are already initialized in xfrm_state_alloc(). Patch commits are available at Kernel commit 14acf965, Kernel commit 26edb0a3, Kernel commit 4980162d, Kernel commit a2e2d08f, and Kernel commit b4a53add.

Workarounds

• Disable IPsec/xfrm on hosts that do not require it by unloading the xfrm_user and related modules where operationally feasible.
• Limit access to network configuration interfaces by removing CAP_NET_ADMIN from non-administrative users and containers.
• Disable unprivileged user namespaces via sysctl kernel.unprivileged_userns_clone=0 where supported, to reduce reachability of the code path from untrusted workloads.

# Configuration example: restrict user namespaces and unload xfrm modules where possible
sysctl -w kernel.unprivileged_userns_clone=0
modprobe -r xfrm_user 2>/dev/null || true