CVE-2026-46104
Description
In the Linux kernel, the following vulnerability has been resolved:
selinux: use sk blob accessor in socket permission helpers
SELinux socket state lives in the composite LSM socket blob.
sock_has_perm() and nlmsg_sock_has_extended_perms() currently dereference sk->sk_security directly, which assumes the SELinux socket blob is at offset zero.
In stacked configurations that assumption does not hold. If another LSM allocates socket blob storage before SELinux, these helpers may read the wrong blob and feed invalid SID and class values into AVC checks.
Use selinux_sock() instead of accessing sk->sk_security directly.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A missing LSM blob accessor in SELinux socket permission helpers causes incorrect SID/class lookups in stacked configurations.
Vulnerability
The Linux kernel's SELinux subsystem uses two socket permission helpers (sock_has_perm() and nlmsg_sock_has_extended_perms()) that dereference sk->sk_security directly, assuming the SELinux socket blob is at offset zero. In kernel configurations where multiple LSMs are stacked (e.g., SELinux combined with another LSM), the SELinux blob may not reside at offset zero within the composite LSM socket blob. This bug exists in kernel versions prior to the fix commit [1] and affects any system using SELinux with LSM stacking enabled.
Exploitation
An attacker does not need any special privileges or network position to trigger this vulnerability; it is exposed simply by normal socket operations that call the affected helpers. No user interaction beyond the kernel executing standard socket permission checks is required. The race window is not a factor — the issue is a static logic error in blob offset handling.
Impact
The helpers may read the wrong blob and feed invalid SID (Security ID) and class values into the Access Vector Cache (AVC) checks. This can lead to incorrect SELinux permission decisions, potentially allowing unauthorized operations or denying legitimate ones. The vulnerability can cause information disclosure or privilege escalation, depending on the policy and the operation being checked.
Mitigation
The fix is committed in the Linux kernel stable tree as commit 7eca71f57f194c1638ebb7f4097d6be8fd04c101 [1]. Users should apply this patch or update to a kernel version that includes it. No workaround is available beyond disabling LSM stacking (which may not be practical).
AI Insight generated on May 28, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
67eca71f57f19selinux: use sk blob accessor in socket permission helpers
1 file changed · +2 −3
security/selinux/hooks.c+2 −3 modifieddiff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index 826777800d95e2..9aa740c1e2758f 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -4914,7 +4914,7 @@ static bool sock_skip_has_perm(u32 sid) static int sock_has_perm(struct sock *sk, u32 perms) { - struct sk_security_struct *sksec = sk->sk_security; + struct sk_security_struct *sksec = selinux_sock(sk); struct common_audit_data ad; struct lsm_network_audit net; @@ -6221,7 +6221,7 @@ static unsigned int selinux_ip_postroute(void *priv, static int nlmsg_sock_has_extended_perms(struct sock *sk, u32 perms, u16 nlmsg_type) { - struct sk_security_struct *sksec = sk->sk_security; + struct sk_security_struct *sksec = selinux_sock(sk); struct common_audit_data ad; u8 driver; u8 xperm; -- cgit 1.3-korg
d350fef4bc24selinux: use sk blob accessor in socket permission helpers
1 file changed · +2 −3
security/selinux/hooks.c+2 −3 modifieddiff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index b2c54c12b6136f..1135ab8a85fc50 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -4780,7 +4780,7 @@ static bool sock_skip_has_perm(u32 sid) static int sock_has_perm(struct sock *sk, u32 perms) { - struct sk_security_struct *sksec = sk->sk_security; + struct sk_security_struct *sksec = selinux_sock(sk); struct common_audit_data ad; struct lsm_network_audit net; @@ -6087,7 +6087,7 @@ static unsigned int selinux_ip_postroute(void *priv, static int nlmsg_sock_has_extended_perms(struct sock *sk, u32 perms, u16 nlmsg_type) { - struct sk_security_struct *sksec = sk->sk_security; + struct sk_security_struct *sksec = selinux_sock(sk); struct common_audit_data ad; u8 driver; u8 xperm; -- cgit 1.3-korg
032e70aff025selinux: use sk blob accessor in socket permission helpers
1 file changed · +2 −3
security/selinux/hooks.c+2 −3 modifieddiff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index 97801966bf32c2..49c482e3fa3f9d 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -4920,7 +4920,7 @@ static bool sock_skip_has_perm(u32 sid) static int sock_has_perm(struct sock *sk, u32 perms) { - struct sk_security_struct *sksec = sk->sk_security; + struct sk_security_struct *sksec = selinux_sock(sk); struct common_audit_data ad; struct lsm_network_audit net; @@ -6227,7 +6227,7 @@ static unsigned int selinux_ip_postroute(void *priv, static int nlmsg_sock_has_extended_perms(struct sock *sk, u32 perms, u16 nlmsg_type) { - struct sk_security_struct *sksec = sk->sk_security; + struct sk_security_struct *sksec = selinux_sock(sk); struct common_audit_data ad; u8 driver; u8 xperm; -- cgit 1.3-korg
d350fef4bc24selinux: use sk blob accessor in socket permission helpers
1 file changed · +2 −3
security/selinux/hooks.c+2 −3 modifieddiff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index b2c54c12b6136f..1135ab8a85fc50 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -4780,7 +4780,7 @@ static bool sock_skip_has_perm(u32 sid) static int sock_has_perm(struct sock *sk, u32 perms) { - struct sk_security_struct *sksec = sk->sk_security; + struct sk_security_struct *sksec = selinux_sock(sk); struct common_audit_data ad; struct lsm_network_audit net; @@ -6087,7 +6087,7 @@ static unsigned int selinux_ip_postroute(void *priv, static int nlmsg_sock_has_extended_perms(struct sock *sk, u32 perms, u16 nlmsg_type) { - struct sk_security_struct *sksec = sk->sk_security; + struct sk_security_struct *sksec = selinux_sock(sk); struct common_audit_data ad; u8 driver; u8 xperm; -- cgit 1.3-korg
032e70aff025selinux: use sk blob accessor in socket permission helpers
1 file changed · +2 −3
security/selinux/hooks.c+2 −3 modifieddiff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index 97801966bf32c2..49c482e3fa3f9d 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -4920,7 +4920,7 @@ static bool sock_skip_has_perm(u32 sid) static int sock_has_perm(struct sock *sk, u32 perms) { - struct sk_security_struct *sksec = sk->sk_security; + struct sk_security_struct *sksec = selinux_sock(sk); struct common_audit_data ad; struct lsm_network_audit net; @@ -6227,7 +6227,7 @@ static unsigned int selinux_ip_postroute(void *priv, static int nlmsg_sock_has_extended_perms(struct sock *sk, u32 perms, u16 nlmsg_type) { - struct sk_security_struct *sksec = sk->sk_security; + struct sk_security_struct *sksec = selinux_sock(sk); struct common_audit_data ad; u8 driver; u8 xperm; -- cgit 1.3-korg
7eca71f57f19selinux: use sk blob accessor in socket permission helpers
1 file changed · +2 −3
security/selinux/hooks.c+2 −3 modifieddiff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index 826777800d95e2..9aa740c1e2758f 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -4914,7 +4914,7 @@ static bool sock_skip_has_perm(u32 sid) static int sock_has_perm(struct sock *sk, u32 perms) { - struct sk_security_struct *sksec = sk->sk_security; + struct sk_security_struct *sksec = selinux_sock(sk); struct common_audit_data ad; struct lsm_network_audit net; @@ -6221,7 +6221,7 @@ static unsigned int selinux_ip_postroute(void *priv, static int nlmsg_sock_has_extended_perms(struct sock *sk, u32 perms, u16 nlmsg_type) { - struct sk_security_struct *sksec = sk->sk_security; + struct sk_security_struct *sksec = selinux_sock(sk); struct common_audit_data ad; u8 driver; u8 xperm; -- cgit 1.3-korg
Vulnerability mechanics
Root cause
"Direct dereference of sk->sk_security instead of using the selinux_sock() accessor, causing the wrong LSM blob to be read in stacked configurations."
Attack vector
An attacker on a system with stacked LSMs (e.g., SELinux loaded after another LSM that also allocates socket blob storage) can trigger the bug. When `sock_has_perm()` or `nlmsg_sock_has_extended_perms()` dereference `sk->sk_security` directly, they read the wrong blob because the SELinux blob is not at offset zero in the composite LSM socket blob. This causes the functions to feed an invalid SID and class value into the AVC (Access Vector Cache) checks, potentially granting incorrect permissions or denying legitimate access [patch_id=2898682].
Affected code
The vulnerability resides in `security/selinux/hooks.c` in two functions: `sock_has_perm()` and `nlmsg_sock_has_extended_perms()`. Both functions directly dereference `sk->sk_security` to obtain the SELinux socket security blob [patch_id=2898682].
What the fix does
The patch replaces the direct `sk->sk_security` dereference with the `selinux_sock()` accessor in both `sock_has_perm()` and `nlmsg_sock_has_extended_perms()` [patch_id=2898682]. The `selinux_sock()` helper correctly computes the offset of the SELinux blob within the composite LSM socket blob, so in stacked LSM configurations the proper `sk_security_struct` is always retrieved. This ensures that valid SID and class values are passed to AVC permission checks regardless of LSM stacking order [patch_id=2898682].
Preconditions
- configThe system must be running a kernel with multiple LSMs stacked (e.g., SELinux loaded after another LSM that allocates socket blob storage).
- inputThe kernel must have SELinux enabled and the affected functions (sock_has_perm or nlmsg_sock_has_extended_perms) must be reachable via socket operations or netlink messages.
Generated on May 28, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
3News mentions
0No linked articles in our index yet.