Skip to main content

Linux Kernel CVE-2026-45950

| EUVDEUVD-2026-32234 MEDIUM
Memory Leak (CWE-401)
2026-05-27 416baaa9-dc9f-4396-8d5f-8c081fb06d67 GHSA-j7ww-q9c4-9hxg
5.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
vuln.today AI
5.5 MEDIUM

Local access and low privilege required to invoke crypto API; hardware-specific driver with no scope change; impact is memory exhaustion only, no confidentiality or integrity effect.

3.1 AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
4.0 AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
SUSE
3.3 LOW
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

5
Analysis Generated
Jun 16, 2026 - 02:38 vuln.today
CVSS changed
Jun 16, 2026 - 02:37 NVD
5.5 (MEDIUM)
Patch available
May 27, 2026 - 19:46 EUVD
CVE Published
May 27, 2026 - 14:17 nvd
MEDIUM 5.5
CVE Published
May 27, 2026 - 14:17 nvd
UNKNOWN (no severity yet)

DescriptionNVD

In the Linux kernel, the following vulnerability has been resolved:

crypto: starfive - Fix memory leak in starfive_aes_aead_do_one_req()

The starfive_aes_aead_do_one_req() function allocates rctx->adata with kzalloc() but fails to free it if sg_copy_to_buffer() or starfive_aes_hw_init() fails, which lead to memory leaks.

Since rctx->adata is unconditionally freed after the write_adata operations, ensure consistent cleanup by freeing the allocation in these earlier error paths as well.

Compile tested only. Issue found using a prototype static analysis tool and code review.

AnalysisAI

Memory leak in the Linux kernel's StarFive AES crypto driver allows a local low-privileged user on affected StarFive JH7110 RISC-V hardware to exhaust kernel memory and cause a denial of service. The flaw resides in starfive_aes_aead_do_one_req(), where kzalloc()-allocated memory for rctx->adata is not freed on two distinct error paths - failures in sg_copy_to_buffer() or starfive_aes_hw_init() - resulting in unreleased heap memory each time an AEAD operation fails. No public exploit exists and EPSS is extremely low at 0.02%, consistent with a hardware-specific, analysis-discovered defect rather than an actively targeted weakness.

Technical ContextAI

The vulnerability is classified as CWE-401 (Missing Release of Memory after Effective Lifetime) and resides in drivers/crypto/starfive/ within the Linux kernel. The StarFive crypto driver accelerates AES AEAD (Authenticated Encryption with Associated Data) operations on StarFive JH7110 SoC hardware, a RISC-V-based system-on-chip used in embedded and single-board computer platforms. The function starfive_aes_aead_do_one_req() allocates a buffer via kzalloc() for rctx->adata to hold associated data, but two early exit points - one when sg_copy_to_buffer() returns an error copying scatter-gather list data, and one when starfive_aes_hw_init() fails to initialize the hardware engine - return without calling kfree() on the allocation. A corresponding free exists only on the successful write_adata path, leaving the error paths without cleanup. The CPE confirms affected scope as cpe:2.3:o:linux:linux_kernel with a version range anchored to the introducing commit 7467147ef9bf42d1ea5b3314c7a05cd542b3518e. The bug was discovered via static analysis tooling and code review, not through exploitation.

RemediationAI

The primary fix is to update the Linux kernel to a patched stable release. Vendor-released patches are available across multiple stable branches: Linux 6.12.75 (commit ccb679fdae2e62ed92fd9acb25ed809c0226fcc6), Linux 6.18.14 (commit 4869d0e4e48a5301b267d359b2561c4080791a55, https://git.kernel.org/stable/c/4869d0e4e48a5301b267d359b2561c4080791a55), Linux 6.19.4 (commit 38d80307decc1132626a30e2a62af734630ecca5, https://git.kernel.org/stable/c/38d80307decc1132626a30e2a62af734630ecca5), and Linux 7.0 (commit 5f2c964a058581e1557c32d5de651c67a80438a7, https://git.kernel.org/stable/c/5f2c964a058581e1557c32d5de651c67a80438a7). As a compensating control where patching is not immediately feasible, administrators can blacklist or unload the starfive-aes kernel module (modprobe -r starfive-aes; echo 'blacklist starfive-aes' >> /etc/modprobe.d/starfive.conf), which prevents the vulnerable code path from executing entirely; the trade-off is loss of hardware-accelerated AES on the StarFive platform, falling back to software crypto. Restricting unprivileged access to the kernel crypto API via kernel hardening (e.g., setting /proc/sys/kernel/unprivileged_bpf_disabled and reviewing CAP_NET_ADMIN policy) reduces exposure surface but does not eliminate it, as the AF_ALG socket interface for crypto is accessible to unprivileged users by default on many distributions.

Vendor StatusVendor

SUSE

Severity: Low
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Not-Affected
SUSE Linux Enterprise Desktop 15 SP7 Not-Affected
SUSE Linux Enterprise High Availability Extension 15 SP7 Not-Affected
SUSE Linux Enterprise High Availability Extension 15 SP7 Not-Affected
SUSE Linux Enterprise High Performance Computing 15 SP7 Not-Affected

Share

CVE-2026-45950 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy