CVE-2026-46193 Overview
CVE-2026-46193 is a Linux kernel vulnerability in the IPsec Authentication Header (AH) transform code under net/xfrm. The flaw occurs when Extended Sequence Number (ESN) processing is combined with an asynchronous hash (ahash) implementation. The async setup path appends a 4-byte seqhi slot before the ICV or auth_data region, but the async completion callbacks reconstruct the layout as if seqhi were absent. As a result, AH copies or compares the wrong bytes on both IPv4 and IPv6 paths, breaking authentication and causing packet loss.
Critical Impact
AH+ESN traffic processed through an async hash implementation fails authentication, causing 100% packet loss for affected IPsec flows and breaking IPsec connectivity.
Affected Products
- Linux kernel net/ipv4/ah4 IPsec AH transform
- Linux kernel net/ipv6/ah6 IPsec AH transform
- Linux kernel builds using async ahash AH implementations with ESN enabled
Discovery Timeline
- 2026-05-28 - CVE-2026-46193 published to NVD
- 2026-05-28 - Last updated in NVD database
Technical Details for CVE-2026-46193
Vulnerability Analysis
The Linux kernel AH transform allocates a temporary buffer that holds either the inbound ICV/auth_data or the outbound ICV slot. When ESN is enabled per RFC 4302, the high-order 32 bits of the sequence number must participate in the ICV computation. The async setup path reserves a 4-byte seqhi slot immediately before the ICV or auth_data area to satisfy this requirement.
The defect lies in the asynchronous completion callbacks. Those callbacks recompute pointer offsets into the temporary buffer using the non-ESN layout, ignoring the 4-byte seqhi reservation. AH then reads or writes at offsets shifted by 4 bytes from the actual ICV or auth_data location.
Reproduction under User Mode Linux (UML) with IPv4 AH, ESN, and a forced async hmac(sha1) showed icv_off=20 where expected_off=24, and auth_off=20 where expected_auth_off=24. Ping traffic failed with 100% packet loss until the layout reconstruction was corrected.
Root Cause
The root cause is an inconsistency between the AH async setup path and its completion callbacks regarding the ESN seqhi slot. The setup path accounts for the slot, while ah_output_done and ah_input_done do not, producing a layout drift of 4 bytes whenever ESN is active.
Attack Vector
The issue is a functional correctness defect that manifests as a denial of service for legitimate IPsec sessions. Any AH security association configured with ESN that resolves to an async hash provider will fail to authenticate traffic. This breaks IPsec tunnels and transport-mode flows for affected hosts.
The vulnerability is reachable only when AH with ESN is configured and the kernel selects an asynchronous ahash implementation. The data described in the patch does not establish a remote authentication bypass; the observed effect is packet drops on both IPv4 and IPv6 AH paths.
Detection Methods for CVE-2026-46193
Indicators of Compromise
- Sudden 100% packet loss on AH-protected IPsec flows after enabling ESN on a kernel using an async hash provider
- xfrm input statistics showing authentication failures (XfrmInStateProtoError, XfrmInStateInvalid) on AH SAs with ESN enabled
- Kernel debug traces from ah4/ah6 showing mismatched icv_off versus expected_off values during async completion
Detection Strategies
- Inventory kernels running IPsec AH with ESN and identify whether the selected hash transform is async (for example forced hmac(sha1) via cryptomgr or hardware offload engines)
- Correlate IPsec SA establishment events with sudden drops in authenticated traffic counters to flag affected tunnels
- Validate AH+ESN connectivity after kernel updates using controlled ping or iperf tests across both IPv4 and IPv6 paths
Monitoring Recommendations
- Track /proc/net/xfrm_stat for increases in authentication and protocol error counters on hosts using AH with ESN
- Alert on IPsec session flaps that coincide with kernel module loads for async hash providers or crypto accelerator drivers
- Forward kernel logs to a centralized log platform and search for ah4/ah6 async completion errors and xfrm decryption failures
How to Mitigate CVE-2026-46193
Immediate Actions Required
- Apply the upstream Linux kernel patches that align the AH async completion layout with the setup path for ESN
- Until patches are deployed, avoid pairing AH with ESN on kernels that select async ahash providers; prefer ESP or use a synchronous hash transform
- Audit IPsec policies to identify SAs configured with AH and ESN and verify whether they currently traverse an async crypto path
Patch Information
The fix reconstructs the callback-side layout to match the setup path by skipping the ESN seqhi slot before locating the saved auth_data or ICV. Patches are available in the upstream stable tree across multiple branches: Kernel Patch Commit 0555d4f5, Kernel Patch Commit 2ffaa7a9, Kernel Patch Commit 729899a2, Kernel Patch Commit 7db99a09, and Kernel Patch Commit ec54093e.
Workarounds
- Disable ESN on AH security associations where async hash providers cannot be avoided
- Switch AH transforms to a synchronous hash implementation by adjusting crypto module priorities so a sync hmac variant is selected
- Migrate affected flows to ESP, which is not impacted by this AH-specific layout defect
# Example: verify kernel version and confirm patch presence in the stable tree
uname -r
# Inspect IPsec SAs for AH + ESN combinations
ip xfrm state | grep -E 'proto ah|flag .*esn'
# Check xfrm error counters that may indicate the layout mismatch
cat /proc/net/xfrm_stat
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
