Skip to main content

Linux Kernel CVE-2026-46077

| EUVDEUVD-2026-32459 MEDIUM
2026-05-27 416baaa9-dc9f-4396-8d5f-8c081fb06d67 GHSA-7h5h-c58v-48cq
5.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
vuln.today AI
3.6 LOW

Non-coherent cache platform is a specific hardware prerequisite (AC:H); local user triggers via crypto API (AV:L/PR:L); stale cache leaks prior data (C:L); crypto output unreliable but no full service loss (A:L).

3.1 AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:L
4.0 AV:L/AC:H/AT:P/PR:L/UI:N/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N
SUSE
MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

5
Analysis Generated
Jun 24, 2026 - 17:27 vuln.today
CVSS changed
Jun 24, 2026 - 17:22 NVD
5.5 (MEDIUM)
Patch available
May 27, 2026 - 19:46 EUVD
CVE Published
May 27, 2026 - 14:17 nvd
MEDIUM 5.5
CVE Published
May 27, 2026 - 14:17 nvd
UNKNOWN (no severity yet)

DescriptionNVD

In the Linux kernel, the following vulnerability has been resolved:

crypto: atmel-tdes - fix DMA sync direction

Before DMA output is consumed by the CPU, ->dma_addr_out must be synced with dma_sync_single_for_cpu() instead of dma_sync_single_for_device(). Using the wrong direction can return stale cache data on non-coherent platforms.

AnalysisAI

Incorrect DMA synchronization direction in the Linux kernel's atmel-tdes crypto driver exposes systems running on non-coherent cache architectures to stale cache data reads. The atmel-tdes driver incorrectly calls dma_sync_single_for_device() instead of dma_sync_single_for_cpu() before the CPU consumes DMA output, causing cache invalidation to be skipped on non-coherent platforms (typically ARM-based Atmel/Microchip SoCs). This means the CPU may read stale cached data rather than actual DES/3DES operation output, producing incorrect cryptographic results and potential information exposure from prior cache contents. No public exploit exists and EPSS is 0.02%, but hardware-platform specificity limits real-world reach significantly.

Technical ContextAI

The vulnerability resides in the Linux kernel's crypto subsystem driver for the Atmel Triple DES (TDES) hardware accelerator (drivers/crypto/atmel-tdes.c), present since Linux 3.6. On non-coherent DMA platforms - where the CPU cache and DMA memory are not automatically synchronized - correct operation requires explicit cache maintenance calls. Specifically, dma_sync_single_for_cpu() must be called before the CPU reads DMA output to invalidate stale cache lines, while dma_sync_single_for_device() is the correct call before the device writes (not reads). By using the device-direction sync on output buffers, the driver skips the required cache invalidation, leaving the CPU to read whatever was previously cached at that address rather than the fresh DMA output. Affected hardware targets include Atmel AT91 and SAMA5 SoC families running ARM cores, which commonly employ non-coherent DMA. The CPE cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* covers the Linux kernel broadly, with the affected range starting from commit 13802005d8f2 onward through specific stable-branch backport boundaries. The CWE is not formally assigned, but this maps to improper resource synchronization (analogous to CWE-362 or CWE-664) at the hardware/software cache coherency boundary.

RemediationAI

The primary fix is to upgrade to a patched Linux kernel stable release: 6.6.140, 6.12.86, 6.18.27, 7.0.4, or later. Patch commits are available at git.kernel.org/stable: c8a9a647532f (6.6.x), 12a0adfe498c (6.12.x), 5281e6e23023 (6.18.x), 863d11b39277 (7.0.x), b5f5df801d16 (7.1-rc1), with additional related commits b9b28f388, c0f3002c02, and ce3224678a also referenced. For embedded systems that cannot immediately upgrade, a practical compensating control is to disable the atmel-tdes hardware accelerator and fall back to software-only Triple DES via the kernel's generic crypto API - this eliminates the DMA path entirely and the associated sync bug, though it introduces CPU overhead for crypto operations. Additionally, restricting access to the /dev/crypto or crypto AF_ALG socket interface to privileged processes reduces the pool of potential triggering callers. Note that on coherent DMA platforms (where cache coherency is maintained in hardware), this bug has no observable effect and no action is required.

Vendor StatusVendor

SUSE

Severity: Moderate
Product Status
openSUSE Tumbleweed Fixed
SUSE Linux Enterprise Desktop 15 SP7 Not-Affected
SUSE Linux Enterprise Desktop 15 SP7 Not-Affected
SUSE Linux Enterprise High Availability Extension 15 SP7 Not-Affected
SUSE Linux Enterprise High Availability Extension 15 SP7 Not-Affected

Share

CVE-2026-46077 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy