{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-23060", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2026-01-13T15:37:45.952Z", "datePublished": "2026-02-04T16:07:42.860Z", "dateUpdated": "2026-05-11T21:59:13.583Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2026-05-11T21:59:13.583Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncrypto: authencesn - reject too-short AAD (assoclen<8) to match ESP/ESN spec\n\nauthencesn assumes an ESP/ESN-formatted AAD. When assoclen is shorter than\nthe minimum expected length, crypto_authenc_esn_decrypt() can advance past\nthe end of the destination scatterlist and trigger a NULL pointer dereference\nin scatterwalk_map_and_copy(), leading to a kernel panic (DoS).\n\nAdd a minimum AAD length check to fail fast on invalid inputs."}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["crypto/authencesn.c"], "versions": [{"version": "104880a6b470958ddc30e139c41aa4f6ed3a5234", "lessThan": "df22c9a65e9a9daa368a72fed596af9d7d5876bb", "status": "affected", "versionType": "git"}, {"version": "104880a6b470958ddc30e139c41aa4f6ed3a5234", "lessThan": "fee86edf5803f1d1f19e3b4f2dacac241bddfa48", "status": "affected", "versionType": "git"}, {"version": "104880a6b470958ddc30e139c41aa4f6ed3a5234", "lessThan": "767e8349f7e929b7dd95c08f0b4cb353459b365e", "status": "affected", "versionType": "git"}, {"version": "104880a6b470958ddc30e139c41aa4f6ed3a5234", "lessThan": "b0a9609283a5c852addb513dafa655c61eebc1ef", "status": "affected", "versionType": "git"}, {"version": "104880a6b470958ddc30e139c41aa4f6ed3a5234", "lessThan": "161bdc90fce25bd9890adc67fa1c8563a7acbf40", "status": "affected", "versionType": "git"}, {"version": "104880a6b470958ddc30e139c41aa4f6ed3a5234", "lessThan": "9532ff0d0e90ff78a214299f594ab9bac81defe4", "status": "affected", "versionType": "git"}, {"version": "104880a6b470958ddc30e139c41aa4f6ed3a5234", "lessThan": "2397e9264676be7794f8f7f1e9763d90bd3c7335", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["crypto/authencesn.c"], "versions": [{"version": "4.3", "status": "affected"}, {"version": "0", "lessThan": "4.3", "status": "unaffected", "versionType": "semver"}, {"version": "5.10.249", "lessThanOrEqual": "5.10.*", "status": "unaffected", "versionType": "semver"}, {"version": "5.15.199", "lessThanOrEqual": "5.15.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.1.162", "lessThanOrEqual": "6.1.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.6.122", "lessThanOrEqual": "6.6.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.12.68", "lessThanOrEqual": "6.12.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.18.8", "lessThanOrEqual": "6.18.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.19", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.3", "versionEndExcluding": "5.10.249"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.3", "versionEndExcluding": "5.15.199"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.3", "versionEndExcluding": "6.1.162"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.3", "versionEndExcluding": "6.6.122"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.3", "versionEndExcluding": "6.12.68"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.3", "versionEndExcluding": "6.18.8"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.3", "versionEndExcluding": "6.19"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/df22c9a65e9a9daa368a72fed596af9d7d5876bb"}, {"url": "https://git.kernel.org/stable/c/fee86edf5803f1d1f19e3b4f2dacac241bddfa48"}, {"url": "https://git.kernel.org/stable/c/767e8349f7e929b7dd95c08f0b4cb353459b365e"}, {"url": "https://git.kernel.org/stable/c/b0a9609283a5c852addb513dafa655c61eebc1ef"}, {"url": "https://git.kernel.org/stable/c/161bdc90fce25bd9890adc67fa1c8563a7acbf40"}, {"url": "https://git.kernel.org/stable/c/9532ff0d0e90ff78a214299f594ab9bac81defe4"}, {"url": "https://git.kernel.org/stable/c/2397e9264676be7794f8f7f1e9763d90bd3c7335"}], "title": "crypto: authencesn - reject too-short AAD (assoclen<8) to match ESP/ESN spec", "x_generator": {"engine": "bippy-1.2.0"}}}}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "310EAF71-F6F8-4B31-8921-DF3E4773F0CD", "versionEndExcluding": "5.10.249", "versionStartIncluding": "4.3", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "A247FBA6-BEB9-484F-B892-DD5517949CCD", "versionEndExcluding": "5.15.199", "versionStartIncluding": "5.11", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "6579E0D4-0641-479D-A4C3-0EF618798C55", "versionEndExcluding": "6.1.162", "versionStartIncluding": "5.16", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "8EAAE395-0162-4BAF-9AD5-E9AF3C869C4F", "versionEndExcluding": "6.6.122", "versionStartIncluding": "6.2", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "52F38E19-0FDD-4992-9D6D-D4169D689598", "versionEndExcluding": "6.12.68", "versionStartIncluding": "6.7", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "E65C6E79-7EBE-4C77-93F0-818CF5B38F4E", "versionEndExcluding": "6.18.8", "versionStartIncluding": "6.13", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc1:*:*:*:*:*:*", "matchCriteriaId": "17B67AA7-40D6-4AFA-8459-F200F3D7CFD1", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc2:*:*:*:*:*:*", "matchCriteriaId": "C47E4CC9-C826-4FA9-B014-7FE3D9B318B2", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc3:*:*:*:*:*:*", "matchCriteriaId": "F71D92C0-C023-48BD-B3B6-70B638EEE298", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc4:*:*:*:*:*:*", "matchCriteriaId": "13580667-0A98-40CC-B29F-D12790B91BDB", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc5:*:*:*:*:*:*", "matchCriteriaId": "CAD1FED7-CF48-47BF-AC7D-7B6FA3C065FC", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc6:*:*:*:*:*:*", "matchCriteriaId": "3EF854A1-ABB1-4E93-BE9A-44569EC76C0D", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncrypto: authencesn - reject too-short AAD (assoclen<8) to match ESP/ESN spec\n\nauthencesn assumes an ESP/ESN-formatted AAD. When assoclen is shorter than\nthe minimum expected length, crypto_authenc_esn_decrypt() can advance past\nthe end of the destination scatterlist and trigger a NULL pointer dereference\nin scatterwalk_map_and_copy(), leading to a kernel panic (DoS).\n\nAdd a minimum AAD length check to fail fast on invalid inputs."}, {"lang": "es", "value": "En el kernel de Linux, la siguiente vulnerabilidad ha sido resuelta:\n\ncrypto: authencesn - rechazar AAD demasiado corto (assoclen&lt;8) para coincidir con la especificaci\u00f3n ESP/ESN\n\nauthencesn asume un AAD con formato ESP/ESN. Cuando assoclen es m\u00e1s corto que la longitud m\u00ednima esperada, crypto_authenc_esn_decrypt() puede avanzar m\u00e1s all\u00e1 del final de la scatterlist de destino y activar una desreferencia de puntero NULL en scatterwalk_map_and_copy(), lo que lleva a un p\u00e1nico del kernel (DoS).\n\nA\u00f1adir una comprobaci\u00f3n de longitud m\u00ednima de AAD para fallar r\u00e1pidamente con entradas no v\u00e1lidas."}], "id": "CVE-2026-23060", "lastModified": "2026-03-13T21:28:47.830", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-02-04T17:16:16.687", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/161bdc90fce25bd9890adc67fa1c8563a7acbf40"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/2397e9264676be7794f8f7f1e9763d90bd3c7335"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/767e8349f7e929b7dd95c08f0b4cb353459b365e"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/9532ff0d0e90ff78a214299f594ab9bac81defe4"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/b0a9609283a5c852addb513dafa655c61eebc1ef"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/df22c9a65e9a9daa368a72fed596af9d7d5876bb"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/fee86edf5803f1d1f19e3b4f2dacac241bddfa48"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-476"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"bugzilla": {"description": "kernel: crypto: authencesn - reject too-short AAD (assoclen<8) to match ESP/ESN spec", "id": "2436779", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2436779"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.0", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "draft"}, "details": ["No description is available for this CVE."], "name": "CVE-2026-23060", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2026-02-04T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-23060\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-23060\nhttps://lore.kernel.org/linux-cve-announce/2026020414-CVE-2026-23060-6a41@gregkh/T"], "threat_severity": "Moderate"}

{"analysis": {"en": {"generated_at": "2026-04-17T23:43:18.913049+00:00", "value": {"mitigation_remediation": ["Upgrade the Linux kernel to a patched version that incorporates the minimum AAD length check added in this commit.", "If a kernel update is not immediately possible, limit exposure by blocking or filtering ESP/ESN traffic with firewall or SELinux rules to prevent malformed packets from reaching the kernel.", "Enable or review kernel logging to monitor for null pointer dereference events or unexpected panics that may indicate attempts to exploit this weakness."], "summary": {"action": "Immediate Patch", "impact": "Denial of Service via kernel panic due to null pointer dereference"}, "threat_synthesis": {"affected_systems": "Linux kernel deployments are affected, specifically kernel versions 6.19 and its release candidates 6.19\u2011rc1 through 6.19\u2011rc6, as well as any derivative builds identified by the corresponding CPE entries. All distributions shipping these kernel versions are therefore impacted.", "description_and_impact": "The vulnerability exists in the Linux kernel's authencesn cryptographic module, which processes ESP/ESN-formatted authenticated encryption data. When the associated data (AAD) is shorter than eight bytes, the function crypto_authenc_esn_decrypt can advance past the end of the destination scatterlist, causing a NULL pointer dereference inside scatterwalk_map_and_copy and resulting in a kernel crash that denies service. This represents a classic null pointer dereference (CWE\u2011476) that can be leveraged to compromise availability.", "risk_and_exploitability": "The CVSS score is 5.5, indicating moderate severity. An EPSS score below 1\u202f% and absence from KISA\u2019s KEV catalog suggest low likelihood of active exploitation. An attacker would need to inject malformed ESP/ESN packets with too\u2011short AAD toward a vulnerable host; if processed, the kernel will panic, causing a localized denial of service. This risk is limited to the affected system\u2019s availability and requires no additional privileges beyond the capability to send crafted packets."}}}}, "created": "2026-04-17T23:45:25.813750+00:00", "updated": "2026-04-17T23:45:25.813761+00:00", "vendors": []}