Skip to main content

Linux Kernel EUVDEUVD-2026-32243

| CVE-2026-45959 HIGH
NULL Pointer Dereference (CWE-476)
2026-05-27 416baaa9-dc9f-4396-8d5f-8c081fb06d67 GHSA-6j4x-6364-q9p3
7.8
CVSS 3.1 · Vendor: 416baaa9-dc9f-4396-8d5f-8c081fb06d67
Share

Severity by source

Vendor (416baaa9-dc9f-4396-8d5f-8c081fb06d67) PRIMARY
7.8 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
SUSE
HIGH
qualitative
Red Hat
7.0 MEDIUM
qualitative

Primary rating from Vendor (416baaa9-dc9f-4396-8d5f-8c081fb06d67).

CVSS VectorVendor: 416baaa9-dc9f-4396-8d5f-8c081fb06d67

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

5
Analysis Generated
May 30, 2026 - 11:32 vuln.today
CVSS changed
May 30, 2026 - 11:22 NVD
7.8 (HIGH)
Patch available
May 27, 2026 - 19:46 EUVD
CVE Published
May 27, 2026 - 14:17 nvd
UNKNOWN (no severity yet)
CVE Published
May 27, 2026 - 14:17 nvd
HIGH 7.8

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

crypto: ccp - Fix a crash due to incorrect cleanup usage of kfree

Annotating a local pointer variable, which will be assigned with the kmalloc-family functions, with the __cleanup(kfree) attribute will make the address of the local variable, rather than the address returned by kmalloc, passed to kfree directly and lead to a crash due to invalid deallocation of stack address. According to other places in the repo, the correct usage should be __free(kfree). The code coincidentally compiled because the parameter type void * of kfree is compatible with the desired type struct { ... } **.

AnalysisAI

Local privilege escalation or denial-of-service in the Linux kernel's AMD CCP (Cryptographic Coprocessor) driver stems from a misuse of the __cleanup(kfree) attribute on a local pointer, causing kfree() to be invoked with the address of a stack variable rather than the heap allocation returned by kmalloc. The resulting invalid deallocation of a stack address crashes the kernel and could be leveraged by a low-privileged local user for impact on confidentiality, integrity, and availability (CVSS 7.8). EPSS is very low (0.02%) and there is no public exploit identified at time of analysis, but vendor patches are available in stable trees 6.18.14 and 6.19.4.

Technical ContextAI

The bug lives in drivers/crypto/ccp, the kernel driver for AMD's Cryptographic Coprocessor used for hardware-accelerated crypto and SEV/SEV-ES/SEV-SNP confidential computing primitives. The kernel's scope-based cleanup helpers come in two forms: __free(kfree), which passes the *value* stored at the pointer to kfree() when the variable goes out of scope, and __cleanup(kfree), which (as written) ends up passing the *address* of the local pointer variable to kfree(). Because kfree() takes void *, the compiler accepted the mismatched type silently, so the slab allocator was handed a stack address - a classic CWE-763 (Release of Invalid Pointer or Reference) / CWE-590-class memory management defect. The condition is reachable on any system whose CCP driver code path containing this annotation is exercised, and it manifests as a kernel panic from the slab/SLUB allocator detecting an out-of-region free.

RemediationAI

Vendor-released patch: upgrade to Linux stable 6.18.14, 6.19.4, or any later release on those lines that contains the fix commits 90f9090e, 9a3ace9b, and d5abcc33 from https://git.kernel.org/stable/c/. For distribution kernels, install the vendor backport once published (track the references at https://nvd.nist.gov/vuln/detail/CVE-2026-45959 and your distro's security tracker). If immediate patching is not possible, the most effective compensating control is to prevent untrusted local users from reaching the CCP code path: blacklist or unload the ccp module (echo 'blacklist ccp' into /etc/modprobe.d/ and rebuild initramfs), which disables AMD hardware crypto acceleration and SEV/SEV-SNP support and is therefore unacceptable on confidential-computing hosts; alternatively, restrict access to /dev/crypto and any user-facing interfaces that funnel into ccp, and tighten local user/container provisioning. Workarounds carry real functional trade-offs (loss of hardware crypto, broken SEV-based VMs), so patching is strongly preferred over module removal.

Vendor StatusVendor

SUSE

Severity: High
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

EUVD-2026-32243 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy