CVE-2026-46000 - Vulnerability Details

- rxrpc: Fix conn-level packet handling to unshare RESPONSE packets

Description

In the Linux kernel, the following vulnerability has been resolved:

rxrpc: Fix conn-level packet handling to unshare RESPONSE packets

The security operations that verify the RESPONSE packets decrypt bits of it
in place - however, the sk_buff may be shared with a packet sniffer, which
would lead to the sniffer seeing an apparently corrupt packet (actually
decrypted).

Fix this by handing a copy of the packet off to the specific security
handler if the packet was cloned.

Published: 2026-05-27

Score: 5.5 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The Linux kernel’s rxrpc implementation incorrectly shared a sk_buff containing a RESPONSE packet that has been decrypted in place. If the packet was cloned, a packet sniffer on the same host could read the packet’s decrypted payload, resulting in an information disclosure of sensitive data that should remain confidential. This flaw does not provide arbitrary code execution or denial of service, but it can expose cryptographic secrets or other protected information.

Affected Systems

All Linux kernels that include the rxrpc implementation before the fix are affected. The issue was addressed in a commit to the Linux kernel repository and applies to any distribution providing the upstream kernel without the patch. Specific version ranges are not listed in the advisory, so any kernel older than the fix should be considered vulnerable.

Risk and Exploitability

The EPSS score is not available and the vulnerability is not listed in CISA’s KEV catalog, suggesting that no widespread exploitation has been observed to date. Nevertheless, an attacker who can view traffic on Linux devices running the unpatched kernel, or who can execute packet‑capturing utilities locally, could exploit the flaw to read decrypted data. The lack of a listed KEV entry does not diminish the potential confidentiality impact, especially in environments handling sensitive payloads over network RPC. The CVSS score is 5.5, indicating a medium impact for affected systems.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`17926a79320afa9b95df6b977b40cca6d8713cea`	affected	< c0428a22daf69714dc042b67ea759956b74c74e5
`17926a79320afa9b95df6b977b40cca6d8713cea`	affected	< 98a2046d155f73f6cf5d2c493c5e09b4963e2e12
`17926a79320afa9b95df6b977b40cca6d8713cea`	affected	< ca71ac2de389b01eecdc48bfafbdf073ec232044
`17926a79320afa9b95df6b977b40cca6d8713cea`	affected	< d9b93a0f57ca5f6831bfaa34014b6cd705564a00
`17926a79320afa9b95df6b977b40cca6d8713cea`	affected	< 24481a7f573305706054c59e275371f8d0fe919f

Linux

affected

Version	Status	Constraints
`2.6.22`	affected	—
`0`	unaffected	< 2.6.22
`6.6.140`	unaffected	≤ 6.6.*
`6.12.88`	unaffected	≤ 6.12.*
`6.18.27`	unaffected	≤ 6.18.*
`7.0.4`	unaffected	≤ 7.0.*
`7.1`	unaffected	≤ *

Configuration 1 [-]

OR	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::

No data.

Vendor Product Confidence Versions

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`[17926a79320afa9b95df6b977b40cca6d8713cea,c0428a22daf69714dc042b67ea759956b74c74e5)`	affected	code_commit	—
`[17926a79320afa9b95df6b977b40cca6d8713cea,98a2046d155f73f6cf5d2c493c5e09b4963e2e12)`	affected	code_commit	—
`[17926a79320afa9b95df6b977b40cca6d8713cea,ca71ac2de389b01eecdc48bfafbdf073ec232044)`	affected	code_commit	—
`[17926a79320afa9b95df6b977b40cca6d8713cea,d9b93a0f57ca5f6831bfaa34014b6cd705564a00)`	affected	code_commit	—
`[17926a79320afa9b95df6b977b40cca6d8713cea,24481a7f573305706054c59e275371f8d0fe919f)`	affected	code_commit	—

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`2.6.22`	affected	semver	—
`[0,2.6.22)`	unaffected	semver	—
`[6.6.140,6.7.0)`	unaffected	semver	—
`[6.12.88,6.13.0)`	unaffected	semver	—
`[6.18.27,6.19.0)`	unaffected	semver	—
`[7.0.4,7.1.0)`	unaffected	semver	—
`[7.1-rc1,*]`	unaffected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Update the Linux kernel to a version that contains the rxrpc replay‑packet unsharing patch (commit 24481a7f573305706054c59e275371f8d0fe919f or later).
If a kernel update cannot be performed immediately, block or disable rxrpc traffic on the network interfaces to prevent the flawed packet processing.
Restrict or disable local packet‑sniffing utilities to eliminate the possibility of sniffers accessing shared packets.

Generated by OpenCVE AI on May 28, 2026 at 04:42 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
Ubuntu USN	USN-8370-1	Linux kernel vulnerabilities
Ubuntu USN	USN-8371-1	Linux kernel vulnerabilities
Ubuntu USN	USN-8373-1	Linux kernel vulnerabilities
Ubuntu USN	USN-8374-1	Linux kernel vulnerabilities

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.002.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://git.kernel.org/stable/c/24481a7f573305706054c59e275371f8d0fe919f
https://git.kernel.org/stable/c/98a2046d155f73f6cf5d2c493c5e09b4963e2e12
https://git.kernel.org/stable/c/c0428a22daf69714dc042b67ea759956b74c74e5
https://git.kernel.org/stable/c/ca71ac2de389b01eecdc48bfafbdf073ec232044
https://git.kernel.org/stable/c/d9b93a0f57ca5f6831bfaa34014b6cd705564a00
https://lore.kernel.org/linux-cve-announce/2026052742-CVE-2026-46000-b884@gregkh/T
https://nvd.nist.gov/vuln/detail/CVE-2026-46000
https://www.cve.org/CVERecord?id=CVE-2026-46000

History

Tue, 16 Jun 2026 13:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		NVD-CWE-noinfo

Thu, 28 May 2026 03:30:00 +0000

Type	Values Removed	Values Added
Weaknesses	CWE-200

Thu, 28 May 2026 00:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-319
References		https://lore.kernel.org/linux-cve-announce/2026052742-CVE-2026-46000-b884@gregkh/T https://nvd.nist.gov/vuln/detail/CVE-2026-46000 https://www.cve.org/CVERecord?id=CVE-2026-46000
Metrics	threat_severity `None`	cvssV3_1 `{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}` threat_severity `Moderate`

Wed, 27 May 2026 19:00:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-200

Wed, 27 May 2026 14:15:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: rxrpc: Fix conn-level packet handling to unshare RESPONSE packets The security operations that verify the RESPONSE packets decrypt bits of it in place - however, the sk_buff may be shared with a packet sniffer, which would lead to the sniffer seeing an apparently corrupt packet (actually decrypted). Fix this by handing a copy of the packet off to the specific security handler if the packet was cloned.
Title		rxrpc: Fix conn-level packet handling to unshare RESPONSE packets
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/24481a7f573305706054c59e275371f8d0fe919f https://git.kernel.org/stable/c/98a2046d155f73f6cf5d2c493c5e09b4963e2e12 https://git.kernel.org/stable/c/c0428a22daf69714dc042b67ea759956b74c74e5 https://git.kernel.org/stable/c/ca71ac2de389b01eecdc48bfafbdf073ec232044 https://git.kernel.org/stable/c/d9b93a0f57ca5f6831bfaa34014b6cd705564a00

Subscriptions

Linux Linux Kernel

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-05-27T12:55:55.288Z

Updated: 2026-06-14T17:47:13.061Z

Reserved: 2026-05-13T15:03:33.091Z

Link: CVE-2026-46000

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2026-05-27T14:17:17.640

Modified: 2026-06-16T13:14:03.103

Link: CVE-2026-46000

Redhat

Severity : Moderate

Publid Date: 2026-05-27T00:00:00Z

Links: CVE-2026-46000 - Bugzilla

OpenCVE Enrichment

Updated: 2026-05-28T04:45:07Z

Weaknesses

CWE-319
Cleartext Transmission of Sensitive Information
NVD-CWE-noinfo

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object