Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1310 CNY

100%
Buy Us a Coffee

CVE-2026-46033— crypto: authencesn - reject short ahash digests during instance creation

AI Predicted 7.8 Difficulty: Moderate EPSS 0.03% · P10

Possible ATT&CK Techniques 1AI

T1190 · Exploit Public-Facing Application

Affected Version Matrix 18

VendorProductVersion RangeStatus
LinuxLinuxf15f05b0a5de667c821a9727c33bce9d1d9b26dd< 77f59fb2d3aa33e90ec6cbbf45dcfb20ab82b1a9affected
f15f05b0a5de667c821a9727c33bce9d1d9b26dd< 2f31cd1e64a079c845bca31d2da7b3c90a311726affected
f15f05b0a5de667c821a9727c33bce9d1d9b26dd< d4c6a6d08e70bb1083c7c405fc7faacbf19aebc0affected
f15f05b0a5de667c821a9727c33bce9d1d9b26dd< b69933e97efea238ebbfcf70c2b1be1cd03f13e3affected
f15f05b0a5de667c821a9727c33bce9d1d9b26dd< 67f1f0933cc3d78dde222842bcad2778ec7a0b88affected
f15f05b0a5de667c821a9727c33bce9d1d9b26dd< b42821c15445f93daea3e76ada682b2b7181c476affected
f15f05b0a5de667c821a9727c33bce9d1d9b26dd< 9aff81e8217e9de2929084b03b3c7f81988c112baffected
f15f05b0a5de667c821a9727c33bce9d1d9b26dd< 5db6ef9847717329f12c5ea8aba7e9f588a980c0affected
… +10 more rows
Get alerts for future matching vulnerabilitiesLog in to subscribe

I. Basic Information for CVE-2026-46033

Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗

Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.

Vulnerability Title
crypto: authencesn - reject short ahash digests during instance creation
Source: NVD (National Vulnerability Database)
Vulnerability Description
In the Linux kernel, the following vulnerability has been resolved: crypto: authencesn - reject short ahash digests during instance creation authencesn requires either a zero authsize or an authsize of at least 4 bytes because the ESN encrypt/decrypt paths always move 4 bytes of high-order sequence number data at the end of the authenticated data. While crypto_authenc_esn_setauthsize() already rejects explicit non-zero authsizes in the range 1..3, crypto_authenc_esn_create() still copied auth->digestsize into inst->alg.maxauthsize without validating it. The AEAD core then initialized the tfm's default authsize from that value. As a result, selecting an ahash with digest size 1..3, such as cbcmac(cipher_null), exposed authencesn instances whose default authsize was invalid even though setauthsize() would have rejected the same value. AF_ALG could then trigger the ESN tail handling with a too-short tag and hit an out-of-bounds access. Reject authencesn instances whose ahash digest size is in the invalid non-zero range 1..3 so that no tfm can inherit an unsupported default authsize.
Source: NVD (National Vulnerability Database)
CVSS Information
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Type
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Title
Linux kernel 安全漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
Linux kernel是美国Linux基金会的开源操作系统Linux所使用的内核。 Linux kernel存在安全漏洞,该漏洞源于authencesn实例创建时未验证ahash摘要长度,可能导致使用过短标签时触发越界访问。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)

Affected Products

VendorProductAffected VersionsCPESubscribe
LinuxLinux f15f05b0a5de667c821a9727c33bce9d1d9b26dd ~ 77f59fb2d3aa33e90ec6cbbf45dcfb20ab82b1a9 -
LinuxLinux 4.11 -

II. Public POCs for CVE-2026-46033

#POC DescriptionSource LinkShenlong Link
AI-Generated POCPremium

No public POC found.

Login to generate AI POC

III. Intelligence Information for CVE-2026-46033

登录查看更多情报信息。

Patches & Fixes for CVE-2026-46033 (8)

Same Patch Batch · Linux · 2026-05-27 · 276 CVEs total

CVE-2026-459729.8 CRITICALsmb: client: fix potential UAF and double free in smb2_open_file()
CVE-2026-458989.8 CRITICALRDMA/iwcm: Fix workqueue list corruption by removing work_list
CVE-2026-459889.8 CRITICALrxrpc: Fix re-decryption of RESPONSE packets
CVE-2026-460399.8 CRITICALrxgk: Fix potential integer overflow in length check
CVE-2026-460439.1 CRITICALRDMA/rxe: Validate pad and ICRC before payload_size() in rxe_rcv
CVE-2026-459458.8 HIGHiommu/vt-d: Fix race condition during PASID entry replacement
CVE-2026-460568.8 HIGHBluetooth: hci_event: fix potential UAF in SSP passkey handlers
CVE-2026-460378.2 HIGHipv4: icmp: validate reply type before using icmp_pointers
CVE-2026-458438.2 HIGHslip: bound decode() reads against the compressed packet length
CVE-2026-460998.1 HIGHnet: ipv6: fix NOREF dst use in seg6 and rpl lwtunnels
CVE-2026-460108.1 HIGHrxrpc: Fix error handling in rxgk_extract_token()
CVE-2026-460767.9 HIGHKVM: nSVM: Raise #UD if unhandled VMMCALL isn't intercepted by L1
CVE-2026-459707.8 HIGHbonding: alb: fix UAF in rlb_arp_recv during bond up/down
CVE-2026-459807.8 HIGHaccel/amdxdna: Stop job scheduling across aie2_release_resource()
CVE-2026-459317.8 HIGHaccel/amdxdna: Hold mm structure across iommu_sva_unbind_device()
CVE-2026-460537.8 HIGHnet: rds: fix MR cleanup on copy error
CVE-2026-459297.8 HIGHovpn: fix possible use-after-free in ovpn_net_xmit
CVE-2026-458527.8 HIGHRDMA/rxe: Fix double free in rxe_srq_from_init
CVE-2026-458787.8 HIGHdrm/amdkfd: Fix watch_id bounds checking in debug address watch v2
CVE-2026-460587.8 HIGHmedia: amphion: Fix race between m2m job_abort and device_run

Showing top 20 of 276 CVEs. View all on vendor page &rarr; →

IV. Related Vulnerabilities

Same product: Linux
Same vendor: Linux

V. Comments for CVE-2026-46033

No comments yet

Leave a comment