CVE Catalog

CVE-2026-46104

MediumCVSS 5.5
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.12%

2th percentile - higher than 2% of all known CVEs

Summary

In the Linux kernel, a vulnerability was found in SELinux where socket permission helpers (sock_has_perm and nlmsg_sock_has_extended_perms) directly dereferenced sk->sk_security, assuming the SELinux socket blob is at offset zero. In stacked LSM configurations, this assumption is invalid, potentially causing the wrong blob to be read and invalid SID and class values to be fed into AVC checks.

Risk Assessment

The risk involves potential bypass or misapplication of SELinux security rules, which could allow unauthorized socket access or privilege escalation in systems with multiple LSM modules.

Recommendation

Immediately update the Linux kernel to a version containing the fix that replaces direct sk->sk_security references with the selinux_sock() function.

Original NVD description (English source)

In the Linux kernel, the following vulnerability has been resolved: selinux: use sk blob accessor in socket permission helpers SELinux socket state lives in the composite LSM socket blob. sock_has_perm() and nlmsg_sock_has_extended_perms() currently dereference sk->sk_security directly, which assumes the SELinux socket blob is at offset zero. In stacked configurations that assumption does not hold. If another LSM allocates socket blob storage before SELinux, these helpers may read the wrong blob and feed invalid SID and class values into AVC checks. Use selinux_sock() instead of accessing sk->sk_security directly.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS