{"id":58486,"date":"2026-05-30T07:58:15","date_gmt":"2026-05-30T07:58:15","guid":{"rendered":"https:\/\/zero.redgem.net\/?p=58486"},"modified":"2026-05-30T07:58:15","modified_gmt":"2026-05-30T07:58:15","slug":"xfrm-defensively-unhash-xfrmstate-lists-in-xfrmstatedelete","status":"publish","type":"post","link":"https:\/\/zero.redgem.net\/?p=58486","title":{"rendered":"xfrm: defensively unhash xfrm_state lists in __xfrm_state_delete_CVE-2026-46116"},"content":{"rendered":"

{“lastseen”:””,”description”:”In the Linux kernel, the following vulnerability has been resolved:\\n\\nxfrm: defensively unhash xfrm_state lists in __xfrm_state_delete\\n\\nKASAN reproduces a slab-use-after-free in __xfrm_state_delete()’s\\nhlist_del_rcu calls under syzkaller load on linux-6.12.y stable\\n(reproduced on 6.12.47, also reachable via the same code path on\\ntorvalds\/master and on the ipsec tree). Nine unique signatures cluster\\nin the xfrm_state lifecycle, the load-bearing one being:\\n\\n BUG: KASAN: slab-use-after-free in __hlist_del include\/linux\/list.h:990 [inline]\\n BUG: KASAN: slab-use-after-free in hlist_del_rcu include\/linux\/rculist.h:516 [inline]\\n BUG: KASAN: slab-use-after-free in __xfrm_state_delete net\/xfrm\/xfrm_state.c\\n Write of size 8 at addr ffff8881198bcb70 by task kworker\/u8:9\/435\\n\\n Workqueue: netns cleanup_net\\n Call Trace:\\n __hlist_del \/ hlist_del_rcu\\n __xfrm_state_delete\\n xfrm_state_delete\\n xfrm_state_flush\\n xfrm_state_fini\\n ops_exit_list\\n cleanup_net\\n\\nThe other observed signatures hit the same slab object from\\n__xfrm_state_lookup, xfrm_alloc_spi, __xfrm_state_insert and an OOB\\nwrite variant of __xfrm_state_delete, all on the byseq\/byspi\\nhash chains.\\n\\n__xfrm_state_delete() guards its byseq and byspi unhashes with\\nvalue-based predicates:\\n\\n\\tif (x-\\u003ekm.seq)\\n\\t\\thlist_del_rcu(\\u0026x-\\u003ebyseq);\\n\\tif (x-\\u003eid.spi)\\n\\t\\thlist_del_rcu(\\u0026x-\\u003ebyspi);\\n\\nwhile everywhere else in the file (e.g. state_cache, state_cache_input)\\nthe safer hlist_unhashed() check is used. xfrm_alloc_spi() sets\\nx-\\u003eid.spi = newspi inside xfrm_state_lock and then immediately inserts\\ninto byspi, but a path that observes x-\\u003eid.spi != 0 outside of\\nxfrm_state_lock can still skip-or-hit the byspi unhash inconsistently\\nwith whether x is actually on the list. The same holds for x-\\u003ekm.seq\\nversus byseq, and the bydst\/bysrc unhashes have no predicate at all,\\nso a second __xfrm_state_delete() on the same object writes through\\nLIST_POISON pprev.\\n\\nThe defensive change here:\\n\\n – Use hlist_del_init_rcu() instead of hlist_del_rcu() on bydst,\\n bysrc, byseq and byspi so a second deletion is a no-op rather\\n than a write through LIST_POISON pprev. The byseq\/byspi nodes\\n are already initialised in xfrm_state_alloc().\\n – Test hlist_unhashed() rather than the value predicate for\\n byseq\/byspi, so the unhash decision tracks list state rather than\\n mutable scalar fields.\\n\\nEmpirical verification: applied this patch on top of v6.12.47, rebuilt,\\nand re-ran the same syzkaller harness for 1h16m on a previously-crashy\\nconfiguration that produced ~100 hits each of slab-use-after-free\\nRead in xfrm_alloc_spi \/ Read in __xfrm_state_lookup \/ Write in\\n__xfrm_state_delete. After the patch, 7.1M execs across 32 VMs at\\n~1550 exec\/sec produced zero xfrm_state UAF\/OOB hits. \/proc\/slabinfo\\nconfirms the xfrm_state slab is actively allocated and freed during\\nthe run (~143 KiB resident), so the fuzzer is still exercising those\\ncode paths — they just no longer crash.\\n\\nReproduction:\\n\\n – Linux 6.12.47 x86_64 + KASAN_GENERIC + KASAN_INLINE + KCOV\\n – syzkaller @ 746545b8b1e4c3a128db8652b340d3df90ce61db\\n – 32 QEMU\/KVM VMs x 2 vCPU on AWS c5.metal bare metal\\n – 9 unique signatures collected in ~9h, all within xfrm_state\\n lifecycle”,”published”:”2026-05-28T09:35:30.689Z”,”modified”:”2026-05-30T10:47:52.774Z”,”type”:”cve”,”title”:”xfrm: defensively unhash xfrm_state lists in __xfrm_state_delete”,”source”:”Linux”,”references”:”https:\/\/git.kernel.org\/stable\/c\/b4a53add2fa8f1b5aa17d4c5686c320785fab182\\nhttps:\/\/git.kernel.org\/stable\/c\/26edb0a3c99f9d958c212be68b21f1221614dcf0\\nhttps:\/\/git.kernel.org\/stable\/c\/4980162de555cb838f1a189ce7d2cbf5d2e7b050\\nhttps:\/\/git.kernel.org\/stable\/c\/a2e2d08fb070fab4947447171f1c4e3ca5a188e5\\nhttps:\/\/git.kernel.org\/stable\/c\/14acf9652e5690de3c7486c6db5fb8dafd0a32a3″,”id”:”CVE-2026-46116″,”bulletinFamily”:””,”cwe”:null,”cvelist”:null,”sourceData”:”Linux Linux 7b4dc3600e4877178ba94c7fbf7e520421378aa6\\nLinux Linux 7b4dc3600e4877178ba94c7fbf7e520421378aa6\\nLinux Linux 7b4dc3600e4877178ba94c7fbf7e520421378aa6\\nLinux Linux 7b4dc3600e4877178ba94c7fbf7e520421378aa6\\nLinux Linux 7b4dc3600e4877178ba94c7fbf7e520421378aa6\\nLinux Linux 2.6.19″,”sourceHref”:””,”cvss”:{“score”:7.8,”severity”:”HIGH”,”vector”:”CVSS:3.1\/AV:L\/AC:L\/PR:L\/UI:N\/S:U\/C:H\/I:H\/A:H”,”version”:”3.1″},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:””,”category_name”:”CVE”,”post_link”:””,”product”:”Linux”,”version”:”7b4dc3600e4877178ba94c7fbf7e520421378aa6″,”vendor”:”Linux”,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"

{“lastseen”:””,”description”:”In the Linux kernel, the following vulnerability has been resolved:\\n\\nxfrm: defensively unhash xfrm_state lists in __xfrm_state_delete\\n\\nKASAN reproduces a slab-use-after-free in __xfrm_state_delete()’s\\nhlist_del_rcu calls under syzkaller load…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[2],"tags":[6,8,28,12,15,13,7,11,5],"class_list":["post-58486","post","type-post","status-publish","format-standard","hentry","category-category_cve","tag-cve","tag-cvss","tag-cvss-78","tag-exploit","tag-high","tag-news","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\nxfrm: defensively unhash xfrm_state lists in __xfrm_state_delete_CVE-2026-46116 - zero redgem<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/zero.redgem.net\/?p=58486\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"xfrm: defensively unhash xfrm_state lists in __xfrm_state_delete_CVE-2026-46116 - zero redgem\" \/>\n<meta property=\"og:description\" content=\"{“lastseen”:””,”description”:”In the Linux kernel, the following vulnerability has been resolved:nnxfrm: defensively unhash xfrm_state lists in __xfrm_state_deletennKASAN reproduces a slab-use-after-free in __xfrm_state_delete()’snhlist_del_rcu calls under syzkaller load...\" \/>\n<meta property=\"og:url\" content=\"https:\/\/zero.redgem.net\/?p=58486\" \/>\n<meta property=\"og:site_name\" content=\"zero redgem\" \/>\n<meta property=\"article:published_time\" content=\"2026-05-30T07:58:15+00:00\" \/>\n<meta name=\"author\" content=\"invoker\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"invoker\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"4 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=58486#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=58486\"},\"author\":{\"name\":\"invoker\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#\\\/schema\\\/person\\\/fbfeae8dfad117ac08a7621bee1a1dca\"},\"headline\":\"xfrm: defensively unhash xfrm_state lists in __xfrm_state_delete_CVE-2026-46116\",\"datePublished\":\"2026-05-30T07:58:15+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=58486\"},\"wordCount\":841,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#organization\"},\"keywords\":[\"CVE\",\"CVSS\",\"CVSS-7.8\",\"exploit\",\"HIGH\",\"news\",\"Security\",\"tapic\",\"Vulnerability\"],\"articleSection\":[\"category_cve\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\\\/\\\/zero.redgem.net\\\/?p=58486#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=58486\",\"url\":\"https:\\\/\\\/zero.redgem.net\\\/?p=58486\",\"name\":\"xfrm: defensively unhash xfrm_state lists in __xfrm_state_delete_CVE-2026-46116 - zero redgem\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#website\"},\"datePublished\":\"2026-05-30T07:58:15+00:00\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=58486#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/zero.redgem.net\\\/?p=58486\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=58486#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/zero.redgem.net\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"xfrm: defensively unhash xfrm_state lists in __xfrm_state_delete_CVE-2026-46116\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#website\",\"url\":\"https:\\\/\\\/zero.redgem.net\\\/\",\"name\":\"zero redgem\",\"description\":\"\",\"publisher\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/zero.redgem.net\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#organization\",\"name\":\"zero redgem\",\"url\":\"https:\\\/\\\/zero.redgem.net\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"\",\"contentUrl\":\"\",\"width\":191,\"height\":188,\"caption\":\"zero redgem\"},\"image\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#\\\/schema\\\/logo\\\/image\\\/\"}},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#\\\/schema\\\/person\\\/fbfeae8dfad117ac08a7621bee1a1dca\",\"name\":\"invoker\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g\",\"caption\":\"invoker\"},\"sameAs\":[\"https:\\\/\\\/zero.redgem.net\"],\"url\":\"https:\\\/\\\/zero.redgem.net\\\/?author=1\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"xfrm: defensively unhash xfrm_state lists in __xfrm_state_delete_CVE-2026-46116 - zero redgem","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/zero.redgem.net\/?p=58486","og_locale":"en_US","og_type":"article","og_title":"xfrm: defensively unhash xfrm_state lists in __xfrm_state_delete_CVE-2026-46116 - zero redgem","og_description":"{“lastseen”:””,”description”:”In the Linux kernel, the following vulnerability has been resolved:nnxfrm: defensively unhash xfrm_state lists in __xfrm_state_deletennKASAN reproduces a slab-use-after-free in __xfrm_state_delete()’snhlist_del_rcu calls under syzkaller load...","og_url":"https:\/\/zero.redgem.net\/?p=58486","og_site_name":"zero redgem","article_published_time":"2026-05-30T07:58:15+00:00","author":"invoker","twitter_card":"summary_large_image","twitter_misc":{"Written by":"invoker","Est. reading time":"4 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/zero.redgem.net\/?p=58486#article","isPartOf":{"@id":"https:\/\/zero.redgem.net\/?p=58486"},"author":{"name":"invoker","@id":"https:\/\/zero.redgem.net\/#\/schema\/person\/fbfeae8dfad117ac08a7621bee1a1dca"},"headline":"xfrm: defensively unhash xfrm_state lists in __xfrm_state_delete_CVE-2026-46116","datePublished":"2026-05-30T07:58:15+00:00","mainEntityOfPage":{"@id":"https:\/\/zero.redgem.net\/?p=58486"},"wordCount":841,"commentCount":0,"publisher":{"@id":"https:\/\/zero.redgem.net\/#organization"},"keywords":["CVE","CVSS","CVSS-7.8","exploit","HIGH","news","Security","tapic","Vulnerability"],"articleSection":["category_cve"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/zero.redgem.net\/?p=58486#respond"]}]},{"@type":"WebPage","@id":"https:\/\/zero.redgem.net\/?p=58486","url":"https:\/\/zero.redgem.net\/?p=58486","name":"xfrm: defensively unhash xfrm_state lists in __xfrm_state_delete_CVE-2026-46116 - zero redgem","isPartOf":{"@id":"https:\/\/zero.redgem.net\/#website"},"datePublished":"2026-05-30T07:58:15+00:00","breadcrumb":{"@id":"https:\/\/zero.redgem.net\/?p=58486#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/zero.redgem.net\/?p=58486"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/zero.redgem.net\/?p=58486#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/zero.redgem.net\/"},{"@type":"ListItem","position":2,"name":"xfrm: defensively unhash xfrm_state lists in __xfrm_state_delete_CVE-2026-46116"}]},{"@type":"WebSite","@id":"https:\/\/zero.redgem.net\/#website","url":"https:\/\/zero.redgem.net\/","name":"zero redgem","description":"","publisher":{"@id":"https:\/\/zero.redgem.net\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/zero.redgem.net\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/zero.redgem.net\/#organization","name":"zero redgem","url":"https:\/\/zero.redgem.net\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/zero.redgem.net\/#\/schema\/logo\/image\/","url":"","contentUrl":"","width":191,"height":188,"caption":"zero redgem"},"image":{"@id":"https:\/\/zero.redgem.net\/#\/schema\/logo\/image\/"}},{"@type":"Person","@id":"https:\/\/zero.redgem.net\/#\/schema\/person\/fbfeae8dfad117ac08a7621bee1a1dca","name":"invoker","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g","caption":"invoker"},"sameAs":["https:\/\/zero.redgem.net"],"url":"https:\/\/zero.redgem.net\/?author=1"}]}},"_links":{"self":[{"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/posts\/58486","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=58486"}],"version-history":[{"count":0,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/posts\/58486\/revisions"}],"wp:attachment":[{"href":"https:\/\/zero.redgem.net\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=58486"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=58486"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=58486"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}