{
  "threat_severity" : "Moderate",
  "public_date" : "2026-02-04T00:00:00Z",
  "bugzilla" : {
    "description" : "kernel: Linux kernel: Denial of Service in authencesn due to too-short AAD",
    "id" : "2436779",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2436779"
  },
  "cvss3" : {
    "cvss3_base_score" : "6.5",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
    "status" : "verified"
  },
  "cwe" : "CWE-1284",
  "details" : [ "In the Linux kernel, the following vulnerability has been resolved:\ncrypto: authencesn - reject too-short AAD (assoclen<8) to match ESP/ESN spec\nauthencesn assumes an ESP/ESN-formatted AAD. When assoclen is shorter than\nthe minimum expected length, crypto_authenc_esn_decrypt() can advance past\nthe end of the destination scatterlist and trigger a NULL pointer dereference\nin scatterwalk_map_and_copy(), leading to a kernel panic (DoS).\nAdd a minimum AAD length check to fail fast on invalid inputs.", "A flaw was found in the Linux kernel's authencesn authenticated encryption with associated data implementation. A remote attacker can exploit this vulnerability by providing a specially crafted Associated Additional Data with a length shorter than the expected minimum. This can lead to a NULL pointer dereference, causing a kernel panic and resulting in a Denial of Service." ],
  "statement" : "A denial of service can occur in the authencesn AEAD implementation when the associated data length is shorter than the minimum ESP ESN AAD size. With assoclen less than 8 the decrypt path can advance beyond the end of the destination scatterlist and later hit a NULL pointer dereference in scatterwalk_map_and_copy which can panic the kernel. For the CVSS the PR is N in the paranoid rating because an attacker does not need local privileges if they can reach a kernel user of authencesn with attacker controlled AAD. This is plausibly network reachable in deployments that use IPsec ESP with ESN or other kernel paths that feed ESP like AAD into authencesn. Impact is denial of service via kernel crash. There is no indication of information disclosure or privilege escalation from this fix.",
  "affected_release" : [ {
    "product_name" : "Red Hat Enterprise Linux 10",
    "release_date" : "2026-05-19T00:00:00Z",
    "advisory" : "RHSA-2026:19074",
    "cpe" : "cpe:/o:redhat:enterprise_linux:10.2",
    "package" : "kernel-0:6.12.0-211.7.3.el10_2"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2026-05-19T00:00:00Z",
    "advisory" : "RHSA-2026:19225",
    "cpe" : "cpe:/a:redhat:enterprise_linux:9",
    "package" : "kernel-0:5.14.0-687.5.3.el9_8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2026-05-19T00:00:00Z",
    "advisory" : "RHSA-2026:19225",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9",
    "package" : "kernel-0:5.14.0-687.5.3.el9_8"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat Enterprise Linux 6",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Not affected",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Affected",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Affected",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2026-23060\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-23060\nhttps://lore.kernel.org/linux-cve-announce/2026020414-CVE-2026-23060-6a41@gregkh/T" ],
  "name" : "CVE-2026-23060",
  "mitigation" : {
    "value" : "To mitigate this issue, prevent module authenc from being loaded. Please see https://access.redhat.com/solutions/41278 for how to blacklist a kernel module to prevent it from loading automatically.",
    "lang" : "en:us"
  },
  "csaw" : false
}