CVE-2026-46000 - Vulnerability Details

Description

In the Linux kernel, the following vulnerability has been resolved:

rxrpc: Fix conn-level packet handling to unshare RESPONSE packets

The security operations that verify the RESPONSE packets decrypt bits of it
in place - however, the sk_buff may be shared with a packet sniffer, which
would lead to the sniffer seeing an apparently corrupt packet (actually
decrypted).

Fix this by handing a copy of the packet off to the specific security
handler if the packet was cloned.

Published: 2026-05-27

Score: n/a

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

The Linux kernel’s rxrpc implementation incorrectly shared a sk_buff containing a RESPONSE packet that has been decrypted in place. If the packet was cloned, a packet sniffer on the same host could read the packet’s decrypted payload, resulting in an information disclosure of sensitive data that should remain confidential. This flaw does not provide arbitrary code execution or denial of service, but it can expose cryptographic secrets or other protected information.

Affected Systems

All Linux kernels that include the rxrpc implementation before the fix are affected. The issue was addressed in a commit to the Linux kernel repository and applies to any distribution providing the upstream kernel without the patch. Specific version ranges are not listed in the advisory, so any kernel older than the fix should be considered vulnerable.

Risk and Exploitability

The EPSS score is not available and the vulnerability is not listed in CISA’s KEV catalog, suggesting that no widespread exploitation has been observed to date. Nevertheless, an attacker who can view traffic on Linux devices running the unpatched kernel, or who can execute packet‑capturing utilities locally, could exploit the flaw to read decrypted data. The lack of a listed KEV entry does not diminish the potential confidentiality impact, especially in environments handling sensitive payloads over network RPC. The CVSS rating is not supplied, but based on the description the risk level is medium to high for affected systems.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`17926a79320afa9b95df6b977b40cca6d8713cea`	affected	< c0428a22daf69714dc042b67ea759956b74c74e5
`17926a79320afa9b95df6b977b40cca6d8713cea`	affected	< 98a2046d155f73f6cf5d2c493c5e09b4963e2e12
`17926a79320afa9b95df6b977b40cca6d8713cea`	affected	< ca71ac2de389b01eecdc48bfafbdf073ec232044
`17926a79320afa9b95df6b977b40cca6d8713cea`	affected	< d9b93a0f57ca5f6831bfaa34014b6cd705564a00
`17926a79320afa9b95df6b977b40cca6d8713cea`	affected	< 24481a7f573305706054c59e275371f8d0fe919f

Linux

affected

Version	Status	Constraints
`2.6.22`	affected	—
`0`	unaffected	< 2.6.22
`6.6.140`	unaffected	≤ 6.6.*
`6.12.88`	unaffected	≤ 6.12.*
`6.18.27`	unaffected	≤ 6.18.*
`7.0.4`	unaffected	≤ 7.0.*
`7.1-rc1`	unaffected	≤ *

No data.

No data available yet.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Update the Linux kernel to a version that contains the rxrpc replay‑packet unsharing patch (commit 24481a7f573305706054c59e275371f8d0fe919f or later).
If a kernel update cannot be performed immediately, block or disable rxrpc traffic on the network interfaces to prevent the flawed packet processing.
Restrict or disable local packet‑sniffing utilities to eliminate the possibility of sniffers accessing shared packets.

Generated by OpenCVE AI on May 27, 2026 at 18:39 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://git.kernel.org/stable/c/24481a7f573305706054c59e275371f8d0fe919f
https://git.kernel.org/stable/c/98a2046d155f73f6cf5d2c493c5e09b4963e2e12
https://git.kernel.org/stable/c/c0428a22daf69714dc042b67ea759956b74c74e5
https://git.kernel.org/stable/c/ca71ac2de389b01eecdc48bfafbdf073ec232044
https://git.kernel.org/stable/c/d9b93a0f57ca5f6831bfaa34014b6cd705564a00

History

Wed, 27 May 2026 19:00:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-200

Wed, 27 May 2026 14:15:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: rxrpc: Fix conn-level packet handling to unshare RESPONSE packets The security operations that verify the RESPONSE packets decrypt bits of it in place - however, the sk_buff may be shared with a packet sniffer, which would lead to the sniffer seeing an apparently corrupt packet (actually decrypted). Fix this by handing a copy of the packet off to the specific security handler if the packet was cloned.
Title		rxrpc: Fix conn-level packet handling to unshare RESPONSE packets
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/24481a7f573305706054c59e275371f8d0fe919f https://git.kernel.org/stable/c/98a2046d155f73f6cf5d2c493c5e09b4963e2e12 https://git.kernel.org/stable/c/c0428a22daf69714dc042b67ea759956b74c74e5 https://git.kernel.org/stable/c/ca71ac2de389b01eecdc48bfafbdf073ec232044 https://git.kernel.org/stable/c/d9b93a0f57ca5f6831bfaa34014b6cd705564a00

Subscriptions

Linux Linux Kernel

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-05-27T12:55:55.288Z

Updated: 2026-05-27T12:55:55.288Z

Reserved: 2026-05-13T15:03:33.091Z

Link: CVE-2026-46000

Vulnrichment

No data.

NVD

Status : Awaiting Analysis

Published: 2026-05-27T14:17:17.640

Modified: 2026-05-27T14:48:03.013

Link: CVE-2026-46000

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-27T18:45:39Z

Weaknesses

CWE-200

Impact

Affected Systems

Risk and Exploitability

Tracking

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object