Skip to main content

Linux Kernel CVE-2026-43492

| EUVDEUVD-2026-30878 MEDIUM
Integer Overflow or Wraparound (CWE-190)
2026-05-19 Linux GHSA-q8fh-4v85-p8mj
5.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
vuln.today AI
5.5 MEDIUM

Local access with low privileges required to invoke keyctl; AC:L because trigger conditions are precisely specified and reliably reproducible; availability-only impact from kernel infinite loop DoS.

3.1 AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
4.0 AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
SUSE
MEDIUM
qualitative
Red Hat
5.5 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

5
Analysis Generated
Jun 26, 2026 - 19:46 vuln.today
CVSS changed
Jun 26, 2026 - 17:37 NVD
5.5 (MEDIUM)
Patch available
May 19, 2026 - 12:02 EUVD
CVE Published
May 19, 2026 - 10:44 nvd
MEDIUM 5.5
CVE Published
May 19, 2026 - 10:44 nvd
UNKNOWN (no severity yet)

DescriptionNVD

In the Linux kernel, the following vulnerability has been resolved:

lib/crypto: mpi: Fix integer underflow in mpi_read_raw_from_sgl()

Yiming reports an integer underflow in mpi_read_raw_from_sgl() when subtracting "lzeros" from the unsigned "nbytes".

For this to happen, the scatterlist "sgl" needs to occupy more bytes than the "nbytes" parameter and the first "nbytes + 1" bytes of the scatterlist must be zero. Under these conditions, the while loop iterating over the scatterlist will count more zeroes than "nbytes", subtract the number of zeroes from "nbytes" and cause the underflow.

When commit 2d4d1eea540b ("lib/mpi: Add mpi sgl helpers") originally introduced the bug, it couldn't be triggered because all callers of mpi_read_raw_from_sgl() passed a scatterlist whose length was equal to "nbytes".

However since commit 63ba4d67594a ("KEYS: asymmetric: Use new crypto interface without scatterlists"), the underflow can now actually be triggered. When invoking a KEYCTL_PKEY_ENCRYPT system call with a larger "out_len" than "in_len" and filling the "in" buffer with zeroes, crypto_akcipher_sync_prep() will create an all-zero scatterlist used for both the "src" and "dst" member of struct akcipher_request and thereby fulfil the conditions to trigger the bug:

sys_keyctl() keyctl_pkey_e_d_s() asymmetric_key_eds_op() software_key_eds_op() crypto_akcipher_sync_encrypt() crypto_akcipher_sync_prep() crypto_akcipher_encrypt() rsa_enc() mpi_read_raw_from_sgl()

To the user this will be visible as a DoS as the kernel spins forever, causing soft lockup splats as a side effect.

Fix it.

AnalysisAI

Integer underflow in the Linux kernel's MPI crypto library function mpi_read_raw_from_sgl() allows a local low-privileged user to trigger an infinite kernel loop via the KEYCTL_PKEY_ENCRYPT syscall, causing a system-wide denial of service with soft lockup splats. The flaw was latent since commit 2d4d1eea540b but became exploitable only after commit 63ba4d67594a changed how asymmetric key operations construct scatterlists, allowing out_len > in_len with a zero-filled buffer to satisfy the underflow condition. No active exploitation is confirmed (EPSS 0.02%, not in CISA KEV), but the attack path is fully described in the upstream commit message, making independent reproduction straightforward.

Technical ContextAI

The vulnerability resides in lib/crypto/mpi/mpi-bit.c within the Linux kernel's multi-precision integer (MPI) library used by the asymmetric key subsystem for RSA operations. The root cause is CWE-190 (Integer Overflow/Underflow): the function mpi_read_raw_from_sgl() counts leading zero bytes (lzeros) across the scatterlist in an unsigned accumulator and subtracts them from nbytes (also unsigned). When the scatterlist is longer than nbytes and all of the first nbytes + 1 bytes are zero, the loop accumulates more zeroes than nbytes permits, producing an unsigned integer wraparound to a very large value. This causes the subsequent memory operation to loop indefinitely. The exploitable path runs through sys_keyctl()keyctl_pkey_e_d_s()software_key_eds_op()crypto_akcipher_sync_encrypt()crypto_akcipher_sync_prep()rsa_enc()mpi_read_raw_from_sgl(). The CPE is cpe:2.3:a:linux:linux:*:*:*:*:*:*:*:*.

RemediationAI

The primary fix is to upgrade to a patched kernel version: 6.6.140, 6.12.88, 6.18.30, 7.0.7, or 7.1-rc1. Stable-branch patch commits are available at https://git.kernel.org/stable/c/2aa77a18dc7f2670497fe3ee5acbeda0b57659e5, https://git.kernel.org/stable/c/26d3a97ad46c7a9226ec04d4bf35bd4998a97d16, https://git.kernel.org/stable/c/8637dfb4c1d8a7026ef681f2477c6de8b71c4003, https://git.kernel.org/stable/c/30e513e755bb381afce6fb57cdc8694136193f22, and https://git.kernel.org/stable/c/8c2f1288250a90a4b5cabed5d888d7e3aeed4003. Where patching is not immediately possible, restrict access to the KEYCTL_PKEY_ENCRYPT keyctl operation using seccomp-bpf profiles (SCMP_SYS(keyctl) filter), SELinux or AppArmor policy denying sys_keyctl, or systemd SystemCallFilter=~@keyring - note this will break applications using kernel-managed asymmetric keys for signature verification or TLS offload. In container environments, ensure user namespaces do not grant access to the keyctl syscall for untrusted workloads.

Vendor StatusVendor

SUSE

Severity: Moderate
Product Status
openSUSE Tumbleweed Fixed
SUSE Linux Enterprise Desktop 15 SP7 Affected
SUSE Linux Enterprise Desktop 15 SP7 Affected
SUSE Linux Enterprise High Availability Extension 15 SP7 Affected
SUSE Linux Enterprise High Availability Extension 15 SP7 Affected

Share

CVE-2026-43492 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy