Skip to main content

Linux Kernel CVE-2026-43043

| EUVDEUVD-2026-26642 MEDIUM
NULL Pointer Dereference (CWE-476)
2026-05-01 Linux
5.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
SUSE
MEDIUM
qualitative
Red Hat
5.5 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

7
Analysis Generated
May 08, 2026 - 19:07 vuln.today
CVSS changed
May 08, 2026 - 19:07 NVD
5.5 (MEDIUM)
Patch available
May 01, 2026 - 16:33 EUVD
Patch released
May 01, 2026 - 15:24 nvd
Patch available
EUVD ID Assigned
May 01, 2026 - 15:00 euvd
EUVD-2026-26642
CVE Published
May 01, 2026 - 14:15 nvd
MEDIUM 5.5
CVE Published
May 01, 2026 - 14:15 nvd
N/A

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

crypto: af-alg - fix NULL pointer dereference in scatterwalk

The AF_ALG interface fails to unmark the end of a Scatter/Gather List (SGL) when chaining a new af_alg_tsgl structure. If a sendmsg() fills an SGL exactly to MAX_SGL_ENTS, the last entry is marked as the end. A subsequent sendmsg() allocates a new SGL and chains it, but fails to clear the end marker on the previous SGL's last data entry.

This causes the crypto scatterwalk to hit a premature end, returning NULL on sg_next() and leading to a kernel panic during dereference.

Fix this by explicitly unmarking the end of the previous SGL when performing sg_chain() in af_alg_alloc_tsgl().

AnalysisAI

Denial of service in the Linux kernel AF_ALG crypto interface allows local authenticated attackers to trigger a NULL pointer dereference and kernel panic by sending sequential sendmsg() calls that cause scatter-gather list chain operations to fail to properly unmark SGL boundaries. The vulnerability occurs when AF_ALG allocates chained SGL structures without clearing end markers on previous entries, causing the crypto scatterwalk to encounter premature termination and dereference NULL pointers. CVSS 5.5 (AV:L/AC:L/PR:L) reflects local-only attack requirement with low complexity; EPSS 0.02% (7th percentile) indicates minimal real-world exploitation risk despite kernel panic severity.

Technical ContextAI

The AF_ALG (address family cryptographic algorithm) interface in the Linux kernel provides user-space access to cryptographic transformations via AF_ALG socket family. The vulnerability exists in the scatter-gather list (SGL) chaining mechanism used by the af_alg_tsgl structure (transmit SGL). When sendmsg() operations fill an SGL to exactly MAX_SGL_ENTS entries, the final entry is marked with an end-of-list flag. Subsequent sendmsg() calls that require additional buffer space trigger allocation of new SGL structures, which are then chained to the previous SGL via sg_chain(). The bug: af_alg_alloc_tsgl() fails to clear the end marker on the previous SGL's last data entry before chaining. This causes the crypto scatterwalk code to iterate the SGL, hit the premature end marker, call sg_next() on the flagged entry, and receive NULL-leading to immediate NULL pointer dereference (CWE-476) during subsequent kernel operations. The fix explicitly unmarked the end-of-list flag on the previous SGL before performing sg_chain().

RemediationAI

Vendor-released patches are available for all affected stable Linux branches: apply Linux 6.19.12 or later for 6.19.x; Linux 6.18.22 or later for 6.18.x; Linux 6.12.81 or later for 6.12.x; Linux 6.6.134 or later for 6.6.x; Linux 5.15.203 or later for 5.15.x; or Linux 5.10.253 or later for 5.10.x. Upstream fix commits are available at git.kernel.org/stable (refs: f48d3dd99199180cf37d6253550c55e86372309a, f9acceae7b004956851fd4268edf9f518a9bce04, 7195350fb78538c25cd790d703f8f2c73ee0d395, 7cdf2c6381b21ab5ccf8116750d5582fcd6c0f49, 44eafa39363e8d5dfda6a8c6eb6b45458ed4b948, 00cbdec17c15d024a1c5002c7365df7624a18a75, 4b03ab0a587ec57eb7ddb5c115d84a42896f60f7, 62397b493e14107ae82d8b80938f293d95425bcb). For systems unable to upgrade immediately, restrict AF_ALG socket access via AppArmor/SELinux profile or disable unprivileged AF_ALG via sysctl (if available on your kernel version) as a compensating control, though this limits legitimate cryptographic workloads. The patch itself is low-risk, involving only a single flag-clearing operation in the SGL chain path with no side effects on non-chained operations.

Vendor StatusVendor

SUSE

Severity: Medium
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

CVE-2026-43043 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy