Skip to main content

Linux Kernel CVE-2026-53016

| EUVDEUVD-2026-38884 HIGH
Buffer Access with Incorrect Length Value (CWE-805)
2026-06-24 Linux GHSA-4rx4-73jx-c5r8
7.8
CVSS 3.1 · Vendor: Linux
Share

Severity by source

Vendor (Linux) PRIMARY
7.8 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
7.3 HIGH

Local AF_ALG trigger by any account gives AV:L/PR:L/AC:L; an 8-byte OOB write is primarily integrity/availability (I:H/A:H) with limited confidentiality (C:L).

3.1 AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:H
4.0 AV:L/AC:L/AT:P/PR:L/UI:N/VC:L/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (Linux).

CVSS VectorVendor: Linux

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

5
Analysis Generated
Jun 28, 2026 - 08:50 vuln.today
CVSS changed
Jun 28, 2026 - 08:22 NVD
7.8 (HIGH)
Patch available
Jun 24, 2026 - 18:02 EUVD
CVE Published
Jun 24, 2026 - 16:29 cve.org
HIGH 7.8
CVE Published
Jun 24, 2026 - 16:29 cve.org
UNKNOWN (no severity yet)

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

crypto: ccp - copy IV using skcipher ivsize

AF_ALG rfc3686-ctr-aes-ccp requests pass an 8-byte IV to the driver.

ccp_aes_complete() restores AES_BLOCK_SIZE bytes into the caller's IV buffer while RFC3686 skciphers expose an 8-byte IV, so the restore overruns the provided buffer.

Use crypto_skcipher_ivsize() to copy only the algorithm's IV length.

AnalysisAI

Out-of-bounds write in the Linux kernel's AMD Cryptographic Coprocessor (ccp) driver allows a local low-privileged user to overrun a caller-supplied IV buffer by 8 bytes when issuing rfc3686(ctr(aes)) requests through the AF_ALG socket interface. The ccp_aes_complete() handler unconditionally copies AES_BLOCK_SIZE (16 bytes) back into the IV buffer, but RFC3686 skciphers expose only an 8-byte IV, corrupting adjacent memory. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Local account on AMD CCP host
Delivery
Open AF_ALG rfc3686-ctr-aes socket
Exploit
Submit request with 8-byte IV
Execution
Driver writes 16 bytes, overruns IV buffer
Persist
Corrupt adjacent kernel memory
Impact
Crash or escalate privileges

Vulnerability AssessmentAI

Exploitation Exploitation requires local access to the host and the ability to invoke the kernel crypto API through the AF_ALG socket interface (algif_skcipher), targeting specifically the rfc3686(ctr(aes)) algorithm whose IV length (8 bytes) is smaller than the AES block size (16 bytes) that the ccp completion path restored. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 vector (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H, base 7.8) reflects a local, low-complexity, low-privilege flaw with high impact, consistent with an 8-byte kernel memory overrun that could corrupt adjacent state and potentially be leveraged for memory corruption, crashes, or escalation. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A local unprivileged or low-privileged user on a system with the AMD CCP driver loaded opens an AF_ALG socket bound to the rfc3686(ctr(aes)) transform and submits a request with an 8-byte IV; on completion the driver writes 16 bytes back, overrunning the IV buffer by 8 bytes into adjacent kernel-managed memory. Repeated or carefully shaped requests could corrupt neighboring data structures to cause a crash (DoS) or potentially manipulate kernel state. …
Remediation Vendor-released patch: update to a fixed stable kernel - 5.10.258, 5.15.209, 6.1.175, 6.6.141, 6.12.91, 6.18.33, 7.0.10, or 7.1 (or later) depending on your maintained branch - which replaces the hardcoded AES_BLOCK_SIZE restore with crypto_skcipher_ivsize(); the corresponding commits are at git.kernel.org/stable (e.g. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Identify all systems running the Linux kernel with AMD ccp driver enabled and document current kernel versions across your infrastructure. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-53016 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy