{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-46104", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2026-05-13T15:03:33.097Z", "datePublished": "2026-05-28T09:35:07.397Z", "dateUpdated": "2026-05-28T09:35:07.397Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2026-05-28T09:35:07.397Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nselinux: use sk blob accessor in socket permission helpers\n\nSELinux socket state lives in the composite LSM socket blob.\n\nsock_has_perm() and nlmsg_sock_has_extended_perms() currently\ndereference sk->sk_security directly, which assumes the SELinux socket\nblob is at offset zero.\n\nIn stacked configurations that assumption does not hold. If another LSM\nallocates socket blob storage before SELinux, these helpers may read the\nwrong blob and feed invalid SID and class values into AVC checks.\n\nUse selinux_sock() instead of accessing sk->sk_security directly."}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["security/selinux/hooks.c"], "versions": [{"version": "d1d991efaf34606d500dcbd28bedc0666eeec8e2", "lessThan": "d350fef4bc2467fe1bce15f7a20fe60e01ce41ad", "status": "affected", "versionType": "git"}, {"version": "d1d991efaf34606d500dcbd28bedc0666eeec8e2", "lessThan": "7eca71f57f194c1638ebb7f4097d6be8fd04c101", "status": "affected", "versionType": "git"}, {"version": "d1d991efaf34606d500dcbd28bedc0666eeec8e2", "lessThan": "032e70aff025d7c519af9ab791cd084380619263", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["security/selinux/hooks.c"], "versions": [{"version": "6.13", "status": "affected"}, {"version": "0", "lessThan": "6.13", "status": "unaffected", "versionType": "semver"}, {"version": "6.18.30", "lessThanOrEqual": "6.18.*", "status": "unaffected", "versionType": "semver"}, {"version": "7.0.7", "lessThanOrEqual": "7.0.*", "status": "unaffected", "versionType": "semver"}, {"version": "7.1-rc2", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.13", "versionEndExcluding": "6.18.30"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.13", "versionEndExcluding": "7.0.7"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.13", "versionEndExcluding": "7.1-rc2"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/d350fef4bc2467fe1bce15f7a20fe60e01ce41ad"}, {"url": "https://git.kernel.org/stable/c/7eca71f57f194c1638ebb7f4097d6be8fd04c101"}, {"url": "https://git.kernel.org/stable/c/032e70aff025d7c519af9ab791cd084380619263"}], "title": "selinux: use sk blob accessor in socket permission helpers", "x_generator": {"engine": "bippy-1.2.0"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nselinux: use sk blob accessor in socket permission helpers\n\nSELinux socket state lives in the composite LSM socket blob.\n\nsock_has_perm() and nlmsg_sock_has_extended_perms() currently\ndereference sk->sk_security directly, which assumes the SELinux socket\nblob is at offset zero.\n\nIn stacked configurations that assumption does not hold. If another LSM\nallocates socket blob storage before SELinux, these helpers may read the\nwrong blob and feed invalid SID and class values into AVC checks.\n\nUse selinux_sock() instead of accessing sk->sk_security directly."}], "id": "CVE-2026-46104", "lastModified": "2026-05-28T10:16:25.757", "metrics": {}, "published": "2026-05-28T10:16:25.757", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/032e70aff025d7c519af9ab791cd084380619263"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/7eca71f57f194c1638ebb7f4097d6be8fd04c101"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/d350fef4bc2467fe1bce15f7a20fe60e01ce41ad"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Received"}

{}

{"created": "2026-05-28T11:30:15.487502+00:00", "updated": "2026-05-28T11:30:15.487511+00:00", "vendors": [], "weaknesses": ["CWE-730", "CWE-665"]}