CVE-2026-46116

Name of the Vulnerable Software and Affected Versions Linux kernel versions prior to 6.12.47

Description A slab-use-after-free and out-of-bounds write issue exists in the Linux kernel's xfrm module. The problem occurs within the xfrm state delete() function, where unhashing of byseq and byspi lists relied on value-based predicates instead of checking the actual list state. This inconsistency allows paths to skip or hit the unhash process incorrectly. Additionally, the bydst and bysrc unhashes lacked predicates entirely, leading to writes through LIST POISON during secondary deletions. The issue manifests during the xfrm state lifecycle, specifically affecting functions such as xfrm state lookup(), xfrm alloc spi(), and xfrm state insert() on the byseq/byspi hash chains.

Recommendations Update the Linux kernel to version 6.12.47 or later. As a temporary mitigation, restrict the use of IPsec and xfrm state configurations to minimize the risk of triggering the xfrm state delete() function.