Skip to main content

Linux Kernel EUVDEUVD-2026-35157

| CVE-2026-46291 MEDIUM
2026-06-08 Linux GHSA-66f6-qxv2-c6gr
5.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
vuln.today AI
4.7 MEDIUM

Key leakage is confidentiality-only (C:H/A:N); AC:H reflects required deliberate dynamic-debug activation; PR:L for debugfs write and log read access.

3.1 AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N
4.0 AV:L/AC:H/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

5
Analysis Generated
Jul 08, 2026 - 16:07 vuln.today
CVSS changed
Jul 08, 2026 - 15:37 NVD
5.5 (MEDIUM)
Patch available
Jun 08, 2026 - 18:01 EUVD
CVE Published
Jun 08, 2026 - 15:46 nvd
MEDIUM 5.5
CVE Published
Jun 08, 2026 - 15:46 nvd
UNKNOWN (no severity yet)

DescriptionNVD

In the Linux kernel, the following vulnerability has been resolved:

crypto: caam - guard HMAC key hex dumps in hash_digest_key

Use print_hex_dump_devel() for dumping sensitive HMAC key bytes in hash_digest_key() to avoid leaking secrets at runtime when CONFIG_DYNAMIC_DEBUG is enabled.

AnalysisAI

Sensitive HMAC key material is exposed through kernel debug logging in the Linux kernel's CAAM (Cryptographic Acceleration and Assurance Module) crypto driver. On systems with CONFIG_DYNAMIC_DEBUG enabled and debug output activated for the caam module at runtime, calls to hash_digest_key() emit raw HMAC key bytes via hex dump into the kernel log, allowing any local attacker with debug log read access to extract cryptographic secrets. No public exploit code has been identified and EPSS probability is 0.02%, though the confidentiality impact is severe if exploitation conditions are met. The provided CVSS vector (C:N/A:H) appears to misclassify this as an availability issue rather than a confidentiality issue - see confidence notes.

Technical ContextAI

The affected code resides in drivers/crypto/caam/caamhash.c within the Linux kernel's CAAM driver, which provides hardware-accelerated cryptographic operations on NXP/Freescale SoC platforms (i.MX, QorIQ, Layerscape). The vulnerability arises because hash_digest_key() used a debug hex dump function that activates at runtime under CONFIG_DYNAMIC_DEBUG when the operator enables debug tracing for the caam module (e.g., via /sys/kernel/debug/dynamic_debug/control). The fix replaces this call with print_hex_dump_devel(), which is compiled out unless DEBUG is defined at build time for that specific translation unit - a much stricter gate that prevents runtime activation of key material logging. The root cause aligns with CWE-532 (Insertion of Sensitive Information into Log File), though NVD lists no CWE. The affected CPE is cpe:2.3:a:linux:linux:*:*:*:*:*:*:*:*, with the vulnerability present since approximately Linux 3.6 when the CAAM driver was introduced.

RemediationAI

The primary fix is upgrading to a patched stable kernel version: 6.6.140, 6.12.88, 6.18.30, 7.0.7, or any 7.1-rc1 or later release. Patches are available at the upstream kernel stable tree references provided (git.kernel.org/stable). If immediate kernel upgrade is not possible, the most effective compensating control is to ensure dynamic debug is not enabled for the caam module at runtime - verify that no activation entries for 'caam' or 'caamhash' appear in /sys/kernel/debug/dynamic_debug/control, and restrict write access to that interface to root only. As an additional layer, restrict read access to dmesg and kernel debug logs (e.g., via kernel.dmesg_restrict=1 sysctl, which limits dmesg to CAP_SYS_ADMIN), though this does not prevent disclosure to privileged local users. Note that disabling dynamic debug system-wide may impair kernel debugging capabilities for operators - assess this trade-off before applying. Advisory and patch tracking reference: https://nvd.nist.gov/vuln/detail/CVE-2026-46291 and EUVD-2026-35157.

Share

EUVD-2026-35157 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy