Skip to main content

Linux Kernel EUVDEUVD-2026-28620

| CVE-2026-43336 HIGH
2026-05-08 416baaa9-dc9f-4396-8d5f-8c081fb06d67 GHSA-cw2x-g67m-8387
7.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
SUSE
HIGH
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

5
Analysis Generated
May 11, 2026 - 08:25 vuln.today
CVSS changed
May 11, 2026 - 08:22 NVD
7.5 (HIGH)
Patch available
May 08, 2026 - 15:02 EUVD
CVE Published
May 08, 2026 - 14:16 nvd
HIGH 7.5
CVE Published
May 08, 2026 - 14:16 nvd
UNKNOWN (no severity yet)

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

lib/crypto: chacha: Zeroize permuted_state before it leaves scope

Since the ChaCha permutation is invertible, the local variable 'permuted_state' is sufficient to compute the original 'state', and thus the key, even after the permutation has been done.

While the kernel is quite inconsistent about zeroizing secrets on the stack (and some prominent userspace crypto libraries don't bother at all since it's not guaranteed to work anyway), the kernel does try to do it as a best practice, especially in cases involving the RNG.

Thus, explicitly zeroize 'permuted_state' before it goes out of scope.

AnalysisAI

ChaCha cipher implementation in the Linux kernel leaks cryptographic key material through an improperly zeroized stack variable. The ChaCha permutation function leaves 'permuted_state' on the stack after execution, which can be used to reverse-compute the original encryption key since ChaCha's permutation is mathematically invertible. This information disclosure affects kernel cryptographic operations including the RNG (random number generator). EPSS score of 0.02% indicates very low observed exploitation probability, and no active exploitation is confirmed (not in CISA KEV). Patches are available across all maintained kernel versions from 5.10.253 through 6.19.12.

Technical ContextAI

This vulnerability affects the ChaCha stream cipher implementation in lib/crypto/chacha.c, specifically the permutation function used in kernel cryptographic operations. ChaCha20 is a widely-deployed stream cipher used for encryption and as a cryptographic building block in the kernel's random number generator. The cipher operates through a reversible permutation function that transforms an initial state (containing the key) into a pseudorandom output. The vulnerability stems from a stack hygiene issue: after the permutation completes, the intermediate 'permuted_state' variable remains on the stack without explicit memory sanitization. Because ChaCha's permutation is mathematically invertible, an attacker with the ability to read kernel stack memory could reverse the permutation to recover the original state, including the encryption key. While the kernel generally attempts to zeroize sensitive stack data as a defense-in-depth measure (though not consistently), this particular location was missed. The fix introduced explicit memzero_explicit() calls to sanitize the stack variable before function return. This affects all kernel versions since ChaCha was introduced in 4.2 (commit c08d0e647305c3f8f640010a56c9e4bafb9488d3).

RemediationAI

Upgrade to patched Linux kernel versions: 5.10.253 or later for 5.10.x branch, 5.15.203+ for 5.15.x, 6.1.169+ for 6.1.x, 6.6.135+ for 6.6.x, 6.12.82+ for 6.12.x, 6.18.22+ for 6.18.x, 6.19.12+ for 6.19.x, or 7.0+. Patch commits are available at https://git.kernel.org/stable/c/e90ee961af515a484f091678ce58a4c3f7b73b02 (mainline) and corresponding backports linked in NVD references. For systems unable to upgrade immediately, implement defense-in-depth controls to limit kernel memory disclosure attack surface: enable kernel address space layout randomization (KASLR), apply Spectre/Meltdown mitigations if not already active, restrict access to /proc/kallsyms and kernel debugging interfaces, and minimize privileged container or VM escape opportunities. Note that compensating controls only reduce chaining risk-they do not address the underlying key material exposure. Organizations using the kernel RNG for cryptographic operations should consider rekeying sensitive material after patching if there is evidence of prior kernel memory disclosure exploitation. No significant performance impact or compatibility issues are expected from the patch as it only adds explicit memory zeroing before function return.

Vendor StatusVendor

SUSE

Severity: High
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

EUVD-2026-28620 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy