CVE-2026-46104 (GCVE-0-2026-46104)

Vulnerability from cvelistv5 – Published: 2026-05-28 09:35 – Updated: 2026-05-28 09:35
VLAI
Title
selinux: use sk blob accessor in socket permission helpers
Summary
In the Linux kernel, the following vulnerability has been resolved: selinux: use sk blob accessor in socket permission helpers SELinux socket state lives in the composite LSM socket blob. sock_has_perm() and nlmsg_sock_has_extended_perms() currently dereference sk->sk_security directly, which assumes the SELinux socket blob is at offset zero. In stacked configurations that assumption does not hold. If another LSM allocates socket blob storage before SELinux, these helpers may read the wrong blob and feed invalid SID and class values into AVC checks. Use selinux_sock() instead of accessing sk->sk_security directly.
Severity
No CVSS data available.
Assigner
References
Impacted products
Vendor Product Version
Linux Linux Affected: d1d991efaf34606d500dcbd28bedc0666eeec8e2 , < d350fef4bc2467fe1bce15f7a20fe60e01ce41ad (git)
Affected: d1d991efaf34606d500dcbd28bedc0666eeec8e2 , < 7eca71f57f194c1638ebb7f4097d6be8fd04c101 (git)
Affected: d1d991efaf34606d500dcbd28bedc0666eeec8e2 , < 032e70aff025d7c519af9ab791cd084380619263 (git)
Create a notification for this product.
Linux Linux Affected: 6.13
Unaffected: 0 , < 6.13 (semver)
Unaffected: 6.18.30 , ≤ 6.18.* (semver)
Unaffected: 7.0.7 , ≤ 7.0.* (semver)
Unaffected: 7.1-rc2 , ≤ * (original_commit_for_fix)
Create a notification for this product.
Show details on NVD website
To clipboard 

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "security/selinux/hooks.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "d350fef4bc2467fe1bce15f7a20fe60e01ce41ad",
              "status": "affected",
              "version": "d1d991efaf34606d500dcbd28bedc0666eeec8e2",
              "versionType": "git"
            },
            {
              "lessThan": "7eca71f57f194c1638ebb7f4097d6be8fd04c101",
              "status": "affected",
              "version": "d1d991efaf34606d500dcbd28bedc0666eeec8e2",
              "versionType": "git"
            },
            {
              "lessThan": "032e70aff025d7c519af9ab791cd084380619263",
              "status": "affected",
              "version": "d1d991efaf34606d500dcbd28bedc0666eeec8e2",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "security/selinux/hooks.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.13"
            },
            {
              "lessThan": "6.13",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.18.*",
              "status": "unaffected",
              "version": "6.18.30",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "7.0.*",
              "status": "unaffected",
              "version": "7.0.7",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "7.1-rc2",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18.30",
                  "versionStartIncluding": "6.13",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.0.7",
                  "versionStartIncluding": "6.13",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.1-rc2",
                  "versionStartIncluding": "6.13",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nselinux: use sk blob accessor in socket permission helpers\n\nSELinux socket state lives in the composite LSM socket blob.\n\nsock_has_perm() and nlmsg_sock_has_extended_perms() currently\ndereference sk-\u003esk_security directly, which assumes the SELinux socket\nblob is at offset zero.\n\nIn stacked configurations that assumption does not hold. If another LSM\nallocates socket blob storage before SELinux, these helpers may read the\nwrong blob and feed invalid SID and class values into AVC checks.\n\nUse selinux_sock() instead of accessing sk-\u003esk_security directly."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-28T09:35:07.397Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/d350fef4bc2467fe1bce15f7a20fe60e01ce41ad"
        },
        {
          "url": "https://git.kernel.org/stable/c/7eca71f57f194c1638ebb7f4097d6be8fd04c101"
        },
        {
          "url": "https://git.kernel.org/stable/c/032e70aff025d7c519af9ab791cd084380619263"
        }
      ],
      "title": "selinux: use sk blob accessor in socket permission helpers",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2026-46104",
    "datePublished": "2026-05-28T09:35:07.397Z",
    "dateReserved": "2026-05-13T15:03:33.097Z",
    "dateUpdated": "2026-05-28T09:35:07.397Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2026-46104",
      "date": "2026-05-29",
      "epss": "0.00017",
      "percentile": "0.04336"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2026-46104\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2026-05-28T10:16:25.757\",\"lastModified\":\"2026-05-28T13:44:01.663\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\nselinux: use sk blob accessor in socket permission helpers\\n\\nSELinux socket state lives in the composite LSM socket blob.\\n\\nsock_has_perm() and nlmsg_sock_has_extended_perms() currently\\ndereference sk-\u003esk_security directly, which assumes the SELinux socket\\nblob is at offset zero.\\n\\nIn stacked configurations that assumption does not hold. If another LSM\\nallocates socket blob storage before SELinux, these helpers may read the\\nwrong blob and feed invalid SID and class values into AVC checks.\\n\\nUse selinux_sock() instead of accessing sk-\u003esk_security directly.\"}],\"metrics\":{},\"references\":[{\"url\":\"https://git.kernel.org/stable/c/032e70aff025d7c519af9ab791cd084380619263\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/7eca71f57f194c1638ebb7f4097d6be8fd04c101\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/d350fef4bc2467fe1bce15f7a20fe60e01ce41ad\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.





Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.


Detection rules are retrieved from Rulezet.