Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Linux Distros Unpatched Vulnerability : CVE-2026-46116

🗓️ 29 May 2026 00:00:00Reported by TenableType 
nessus
 nessus🔗 www.tenable.com👁 6 Views

Unpatched Linux kernels exhibit CVE 2026 46116 due to xfrm_state use after free on Linux 6.12.y.

Related
Refs
Code
ReporterTitlePublishedViews
Family
CNNVD		Linux kernel 安全漏洞
28 May 202600:00
cnnvd
CVE		CVE-2026-46116
28 May 202609:35
cve
Cvelist		CVE-2026-46116 xfrm: defensively unhash xfrm_state lists in __xfrm_state_delete
28 May 202609:35
cvelist
Debian CVE		CVE-2026-46116
28 May 202609:35
debiancve
EUVD		EUVD-2026-32875
28 May 202609:35
euvd
NVD		CVE-2026-46116
28 May 202610:16
nvd
OSV		BELL-CVE-2026-46116
29 May 202606:09
osv
OSV		DEBIAN-CVE-2026-46116
28 May 202610:16
osv
OSV		ECHO-C00C-E4EC-3A9B
28 May 202623:19
osv
OSV		ROOT-OS-DEBIAN-11-CVE-2026-46116 CVE-2026-46116 in rootio-linux - Patched by Root
31 May 202603:58
osv
Rows per page
#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
##

include('compat.inc');

if (description)
{
  script_id(317548);
  script_version("1.2");
  script_set_attribute(attribute:"plugin_modification_date", value:"2026/06/01");

  script_cve_id("CVE-2026-46116");

  script_name(english:"Linux Distros Unpatched Vulnerability : CVE-2026-46116");

  script_set_attribute(attribute:"synopsis", value:
"The Linux/Unix host has one or more packages installed with a vulnerability that the vendor indicates will not be
patched.");
  script_set_attribute(attribute:"description", value:
"The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied
patch available.

  - xfrm: defensively unhash xfrm_state lists in __xfrm_state_delete KASAN reproduces a slab-use-after-free in
    __xfrm_state_delete()'s hlist_del_rcu calls under syzkaller load on linux-6.12.y stable (reproduced on
    6.12.47, also reachable via the same code path on torvalds/master and on the ipsec tree). Nine unique
    signatures cluster in the xfrm_state lifecycle, the load-bearing one being: BUG: KASAN: slab-use-after-
    free in __hlist_del include/linux/list.h:990 [inline] BUG: KASAN: slab-use-after-free in hlist_del_rcu
    include/linux/rculist.h:516 [inline] BUG: KASAN: slab-use-after-free in __xfrm_state_delete
    net/xfrm/xfrm_state.c Write of size 8 at addr ffff8881198bcb70 by task kworker/u8:9/435 Workqueue: netns
    cleanup_net Call Trace: __hlist_del / hlist_del_rcu __xfrm_state_delete xfrm_state_delete xfrm_state_flush
    xfrm_state_fini ops_exit_list cleanup_net The other observed signatures hit the same slab object from
    __xfrm_state_lookup, xfrm_alloc_spi, __xfrm_state_insert and an OOB write variant of __xfrm_state_delete,
    all on the byseq/byspi hash chains. __xfrm_state_delete() guards its byseq and byspi unhashes with value-
    based predicates: if (x->km.seq) hlist_del_rcu(&x->byseq); if (x->id.spi) hlist_del_rcu(&x->byspi); while
    everywhere else in the file (e.g. state_cache, state_cache_input) the safer hlist_unhashed() check is
    used. xfrm_alloc_spi() sets x->id.spi = newspi inside xfrm_state_lock and then immediately inserts into
    byspi, but a path that observes x->id.spi != 0 outside of xfrm_state_lock can still skip-or-hit the byspi
    unhash inconsistently with whether x is actually on the list. The same holds for x->km.seq versus byseq,
    and the bydst/bysrc unhashes have no predicate at all, so a second __xfrm_state_delete() on the same
    object writes through LIST_POISON pprev. The defensive change here: - Use hlist_del_init_rcu() instead of
    hlist_del_rcu() on bydst, bysrc, byseq and byspi so a second deletion is a no-op rather than a write
    through LIST_POISON pprev. The byseq/byspi nodes are already initialised in xfrm_state_alloc(). - Test
    hlist_unhashed() rather than the value predicate for byseq/byspi, so the unhash decision tracks list state
    rather than mutable scalar fields. Empirical verification: applied this patch on top of v6.12.47, rebuilt,
    and re-ran the same syzkaller harness for 1h16m on a previously-crashy configuration that produced ~100
    hits each of slab-use-after-free Read in xfrm_alloc_spi / Read in __xfrm_state_lookup / Write in
    __xfrm_state_delete. After the patch, 7.1M execs across 32 VMs at ~1550 exec/sec produced zero xfrm_state
    UAF/OOB hits. /proc/slabinfo confirms the xfrm_state slab is actively allocated and freed during the run
    (~143 KiB resident), so the fuzzer is still exercising those code paths -- they just no longer crash.
    Reproduction: - Linux 6.12.47 x86_64 + KASAN_GENERIC + KASAN_INLINE + KCOV - syzkaller @
    746545b8b1e4c3a128db8652b340d3df90ce61db - 32 QEMU/KVM VMs x 2 vCPU on AWS c5.metal bare metal - 9 unique
    signatures collected in ~9h, all within xfrm_state lifecycle (CVE-2026-46116)

Note that Nessus relies on the presence of the package as reported by the vendor.");
  script_set_attribute(attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2026-46116");
  script_set_attribute(attribute:"solution", value:
"There is no known solution at this time.");
  script_set_attribute(attribute:"agent", value:"unix");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:U/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:U/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2026-46116");

  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");
  script_set_attribute(attribute:"vendor_unpatched", value:"true");

  script_set_attribute(attribute:"vuln_publication_date", value:"2026/05/28");
  script_set_attribute(attribute:"plugin_publication_date", value:"2026/05/29");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:11.0");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:12.0");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Misc.");

  script_copyright(english:"This script is Copyright (C) 2026 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("ssh_get_info2.nasl", "set_linux_os_id.nasl");
  script_require_keys("Host/cpu", "Host/local_checks_enabled", "global_settings/vendor_unpatched", "Host/OS/identifier");
  script_require_ports("Host/OS/Debian Linux-11", "Host/OS/Debian Linux-12");

  exit(0);
}

if (!get_kb_item("global_settings/vendor_unpatched")) exit(0, "Unpatched Vulnerabilities Detection not active.");
if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
if (empty_or_null(get_one_kb_item("Host/Debian/dpkg-l"))) audit(AUDIT_PACKAGE_LIST_MISSING);

include('linux_unpatched.inc');

var distro_constraints_array = {
  "Debian Linux-12": {
    "package_manager": "dpkg-l",
    "constraints": [
      {
        "release": "12",
        "pkgs": [
          {"reference": "btrfs-modules-6.1.0-47-alpha-generic-di"},
          {"reference": "cdrom-core-modules-6.1.0-47-alpha-generic-di"},
          {"reference": "ext4-modules-6.1.0-47-alpha-generic-di"},
          {"reference": "fat-modules-6.1.0-47-alpha-generic-di"},
          {"reference": "isofs-modules-6.1.0-47-alpha-generic-di"},
          {"reference": "jfs-modules-6.1.0-47-alpha-generic-di"},
          {"reference": "kernel-image-6.1.0-47-alpha-generic-di"},
          {"reference": "linux-doc"},
          {"reference": "linux-doc-6.1"},
          {"reference": "linux-headers-6.1.0"},
          {"reference": "linux-source"},
          {"reference": "linux-source-6.1"},
          {"reference": "linux-support-6.1.0"},
          {"reference": "loop-modules-6.1.0-47-alpha-generic-di"},
          {"reference": "nic-modules-6.1.0-47-alpha-generic-di"},
          {"reference": "nic-shared-modules-6.1.0-47-alpha-generic-di"},
          {"reference": "nic-wireless-modules-6.1.0-47-alpha-generic-di"},
          {"reference": "pata-modules-6.1.0-47-alpha-generic-di"},
          {"reference": "ppp-modules-6.1.0-47-alpha-generic-di"},
          {"reference": "scsi-core-modules-6.1.0-47-alpha-generic-di"},
          {"reference": "scsi-modules-6.1.0-47-alpha-generic-di"},
          {"reference": "scsi-nic-modules-6.1.0-47-alpha-generic-di"},
          {"reference": "serial-modules-6.1.0-47-alpha-generic-di"},
          {"reference": "usb-serial-modules-6.1.0-47-alpha-generic-di"},
          {"reference": "xfs-modules-6.1.0-47-alpha-generic-di"}
        ]
      }
    ]
  },
  "Debian Linux-11": {
    "package_manager": "dpkg-l",
    "constraints": [
      {
        "release": "11",
        "pkgs": [
          {"reference": "bpftool"},
          {"reference": "btrfs-modules-5.10.0-32-alpha-generic-di"},
          {"reference": "cdrom-core-modules-5.10.0-32-alpha-generic-di"},
          {"reference": "hyperv-daemons"},
          {"reference": "kernel-image-5.10.0-32-alpha-generic-di"},
          {"reference": "libcpupower-dev"},
          {"reference": "libcpupower1"},
          {"reference": "linux-bootwrapper-5.10.0"},
          {"reference": "linux-config-5.10"},
          {"reference": "linux-cpupower"},
          {"reference": "linux-doc"},
          {"reference": "linux-doc-5.10"},
          {"reference": "linux-headers-5.10.0"},
          {"reference": "linux-kbuild-5.10"},
          {"reference": "linux-libc-dev"},
          {"reference": "linux-perf"},
          {"reference": "linux-perf-5.10"},
          {"reference": "linux-source"},
          {"reference": "linux-source-5.10"},
          {"reference": "linux-support-5.10.0"},
          {"reference": "loop-modules-5.10.0-32-alpha-generic-di"},
          {"reference": "nic-modules-5.10.0-32-alpha-generic-di"},
          {"reference": "nic-shared-modules-5.10.0-32-alpha-generic-di"},
          {"reference": "nic-wireless-modules-5.10.0-32-alpha-generic-di"},
          {"reference": "pata-modules-5.10.0-32-alpha-generic-di"},
          {"reference": "ppp-modules-5.10.0-32-alpha-generic-di"},
          {"reference": "scsi-core-modules-5.10.0-32-alpha-generic-di"},
          {"reference": "scsi-modules-5.10.0-32-alpha-generic-di"},
          {"reference": "scsi-nic-modules-5.10.0-32-alpha-generic-di"},
          {"reference": "serial-modules-5.10.0-32-alpha-generic-di"},
          {"reference": "usb-serial-modules-5.10.0-32-alpha-generic-di"},
          {"reference": "usbip"}
        ]
      }
    ]
  }
};

var distro_constraints_values = linux_unpatched::get_distro_constraints(distro_constraints_arr:distro_constraints_array);
if (empty_or_null(distro_constraints_values)) audit(AUDIT_HOST_NOT, 'affected');
var report = linux_unpatched::check_unpatched_constraints(distro_constraints_values:distro_constraints_values);

if (!empty_or_null(report))
{
  security_report_v4(
      port       : 0,
      severity   : SECURITY_HOLE,
      extra      : report
  );
  exit(0);
}
else
{
  audit(AUDIT_HOST_NOT, 'affected');
}

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
01 Jun 2026 00:00Current
5.9Medium risk
Vulners AI Score5.9
CVSS 3.17.8
EPSS0.00013
linux kernelxfrm stateuse after freekasan bugmemory corruptionsyzkallerlinux six twelve
6