Severity by source
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Local AF_ALG trigger by any account gives AV:L/PR:L/AC:L; an 8-byte OOB write is primarily integrity/availability (I:H/A:H) with limited confidentiality (C:L).
Primary rating from Vendor (Linux).
CVSS VectorVendor: Linux
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
5DescriptionCVE.org
In the Linux kernel, the following vulnerability has been resolved:
crypto: ccp - copy IV using skcipher ivsize
AF_ALG rfc3686-ctr-aes-ccp requests pass an 8-byte IV to the driver.
ccp_aes_complete() restores AES_BLOCK_SIZE bytes into the caller's IV buffer while RFC3686 skciphers expose an 8-byte IV, so the restore overruns the provided buffer.
Use crypto_skcipher_ivsize() to copy only the algorithm's IV length.
AnalysisAI
Out-of-bounds write in the Linux kernel's AMD Cryptographic Coprocessor (ccp) driver allows a local low-privileged user to overrun a caller-supplied IV buffer by 8 bytes when issuing rfc3686(ctr(aes)) requests through the AF_ALG socket interface. The ccp_aes_complete() handler unconditionally copies AES_BLOCK_SIZE (16 bytes) back into the IV buffer, but RFC3686 skciphers expose only an 8-byte IV, corrupting adjacent memory. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires local access to the host and the ability to invoke the kernel crypto API through the AF_ALG socket interface (algif_skcipher), targeting specifically the rfc3686(ctr(aes)) algorithm whose IV length (8 bytes) is smaller than the AES block size (16 bytes) that the ccp completion path restored. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 vector (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H, base 7.8) reflects a local, low-complexity, low-privilege flaw with high impact, consistent with an 8-byte kernel memory overrun that could corrupt adjacent state and potentially be leveraged for memory corruption, crashes, or escalation. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | A local unprivileged or low-privileged user on a system with the AMD CCP driver loaded opens an AF_ALG socket bound to the rfc3686(ctr(aes)) transform and submits a request with an 8-byte IV; on completion the driver writes 16 bytes back, overrunning the IV buffer by 8 bytes into adjacent kernel-managed memory. Repeated or carefully shaped requests could corrupt neighboring data structures to cause a crash (DoS) or potentially manipulate kernel state. … |
| Remediation | Vendor-released patch: update to a fixed stable kernel - 5.10.258, 5.15.209, 6.1.175, 6.6.141, 6.12.91, 6.18.33, 7.0.10, or 7.1 (or later) depending on your maintained branch - which replaces the hardcoded AES_BLOCK_SIZE restore with crypto_skcipher_ivsize(); the corresponding commits are at git.kernel.org/stable (e.g. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Identify all systems running the Linux kernel with AMD ccp driver enabled and document current kernel versions across your infrastructure. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-805 – Buffer Access with Incorrect Length Value
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-38884
GHSA-4rx4-73jx-c5r8