{"id":"CVE-2026-46033","summary":"crypto: authencesn - reject short ahash digests during instance creation","details":"In the Linux kernel, the following vulnerability has been resolved:\n\ncrypto: authencesn - reject short ahash digests during instance creation\n\nauthencesn requires either a zero authsize or an authsize of at least\n4 bytes because the ESN encrypt/decrypt paths always move 4 bytes of\nhigh-order sequence number data at the end of the authenticated data.\n\nWhile crypto_authenc_esn_setauthsize() already rejects explicit\nnon-zero authsizes in the range 1..3, crypto_authenc_esn_create()\nstill copied auth-\u003edigestsize into inst-\u003ealg.maxauthsize without\nvalidating it.  The AEAD core then initialized the tfm's default\nauthsize from that value.\n\nAs a result, selecting an ahash with digest size 1..3, such as\ncbcmac(cipher_null), exposed authencesn instances whose default\nauthsize was invalid even though setauthsize() would have rejected the\nsame value.  AF_ALG could then trigger the ESN tail handling with a\ntoo-short tag and hit an out-of-bounds access.\n\nReject authencesn instances whose ahash digest size is in the invalid\nnon-zero range 1..3 so that no tfm can inherit an unsupported default\nauthsize.","modified":"2026-06-05T18:29:26.197609289Z","published":"2026-05-27T12:56:42.038Z","related":["openSUSE-SU-2026:10954-1"],"database_specific":{"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/46xxx/CVE-2026-46033.json","cna_assigner":"Linux"},"references":[{"type":"WEB","url":"https://git.kernel.org/stable/c/2f31cd1e64a079c845bca31d2da7b3c90a311726"},{"type":"WEB","url":"https://git.kernel.org/stable/c/5db6ef9847717329f12c5ea8aba7e9f588a980c0"},{"type":"WEB","url":"https://git.kernel.org/stable/c/67f1f0933cc3d78dde222842bcad2778ec7a0b88"},{"type":"WEB","url":"https://git.kernel.org/stable/c/77f59fb2d3aa33e90ec6cbbf45dcfb20ab82b1a9"},{"type":"WEB","url":"https://git.kernel.org/stable/c/9aff81e8217e9de2929084b03b3c7f81988c112b"},{"type":"WEB","url":"https://git.kernel.org/stable/c/b42821c15445f93daea3e76ada682b2b7181c476"},{"type":"WEB","url":"https://git.kernel.org/stable/c/b69933e97efea238ebbfcf70c2b1be1cd03f13e3"},{"type":"WEB","url":"https://git.kernel.org/stable/c/d4c6a6d08e70bb1083c7c405fc7faacbf19aebc0"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/46xxx/CVE-2026-46033.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-46033"},{"type":"PACKAGE","url":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"f15f05b0a5de667c821a9727c33bce9d1d9b26dd"},{"fixed":"77f59fb2d3aa33e90ec6cbbf45dcfb20ab82b1a9"},{"fixed":"2f31cd1e64a079c845bca31d2da7b3c90a311726"},{"fixed":"d4c6a6d08e70bb1083c7c405fc7faacbf19aebc0"},{"fixed":"b69933e97efea238ebbfcf70c2b1be1cd03f13e3"},{"fixed":"67f1f0933cc3d78dde222842bcad2778ec7a0b88"},{"fixed":"b42821c15445f93daea3e76ada682b2b7181c476"},{"fixed":"9aff81e8217e9de2929084b03b3c7f81988c112b"},{"fixed":"5db6ef9847717329f12c5ea8aba7e9f588a980c0"}]}],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-46033.json"}},{"package":{"name":"Kernel","ecosystem":"Linux"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"4.11.0"},{"fixed":"5.10.258"}]},{"type":"ECOSYSTEM","events":[{"introduced":"5.11.0"},{"fixed":"5.15.209"}]},{"type":"ECOSYSTEM","events":[{"introduced":"5.16.0"},{"fixed":"6.1.175"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.2.0"},{"fixed":"6.6.140"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.7.0"},{"fixed":"6.12.86"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.13.0"},{"fixed":"6.18.27"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.19.0"},{"fixed":"7.0.4"}]}],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-46033.json"}}],"schema_version":"1.7.5"}