Overview
- The new CVE-2026-46300 flaw, disclosed Wednesday with a working proof-of-concept, lets an unprivileged user gain root on affected kernels.
- The bug sits in the XFRM ESP-in-TCP code path, where in-place AES-GCM decryption over file-backed pages enables controlled byte writes to the page cache and allows overwriting /usr/bin/su in memory.
- Because the attack changes only the in-memory cache of a file and not the disk copy, simple file integrity checks can miss a compromise until the system is rebooted or the cache is cleared.
- Major distributions including Red Hat, Ubuntu, Debian, SUSE, AlmaLinux, Amazon Linux, Gentoo, and CloudLinux have published advisories and begun shipping backported fixes as an upstream patch moves toward merge.
- Vendors urge immediate patching, with temporary mitigations that blacklist esp4, esp6, and rxrpc or restrict unprivileged namespaces, which can disrupt IPsec VPNs, AFS, and rootless containers; Microsoft says no in-the-wild exploitation has been observed.