CVE-2026-46028
MediumCVSS 5.5Exploitation Probability (EPSS)
Low risk7th percentile - higher than 7% of all known CVEs
Summary
A vulnerability has been identified in the Linux kernel related to the algif_aead algorithm, affecting asynchronous AEAD requests. The issue arises from the use of a socket-wide IV buffer, which can lead to inconsistent IV handling due to later socket activity.
Risk Assessment
Organizations may be at risk of unauthorized access to or modification of data, potentially leading to serious security breaches.
Recommendation
It is recommended to update the Linux kernel to the latest version to eliminate this vulnerability and ensure proper IV management in asynchronous AEAD requests.
Original NVD description (English source)
In the Linux kernel, the following vulnerability has been resolved: crypto: algif_aead - snapshot IV for async AEAD requests AF_ALG AEAD AIO requests currently use the socket-wide IV buffer during request processing. For async requests, later socket activity can update that shared state before the original request has fully completed, which can lead to inconsistent IV handling. Snapshot the IV into per-request storage when preparing the AEAD request, so in-flight operations no longer depend on mutable socket state.

