Severity by source
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Key leakage is confidentiality-only (C:H/A:N); AC:H reflects required deliberate dynamic-debug activation; PR:L for debugfs write and log read access.
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
5DescriptionNVD
In the Linux kernel, the following vulnerability has been resolved:
crypto: caam - guard HMAC key hex dumps in hash_digest_key
Use print_hex_dump_devel() for dumping sensitive HMAC key bytes in hash_digest_key() to avoid leaking secrets at runtime when CONFIG_DYNAMIC_DEBUG is enabled.
AnalysisAI
Sensitive HMAC key material is exposed through kernel debug logging in the Linux kernel's CAAM (Cryptographic Acceleration and Assurance Module) crypto driver. On systems with CONFIG_DYNAMIC_DEBUG enabled and debug output activated for the caam module at runtime, calls to hash_digest_key() emit raw HMAC key bytes via hex dump into the kernel log, allowing any local attacker with debug log read access to extract cryptographic secrets. No public exploit code has been identified and EPSS probability is 0.02%, though the confidentiality impact is severe if exploitation conditions are met. The provided CVSS vector (C:N/A:H) appears to misclassify this as an availability issue rather than a confidentiality issue - see confidence notes.
Technical ContextAI
The affected code resides in drivers/crypto/caam/caamhash.c within the Linux kernel's CAAM driver, which provides hardware-accelerated cryptographic operations on NXP/Freescale SoC platforms (i.MX, QorIQ, Layerscape). The vulnerability arises because hash_digest_key() used a debug hex dump function that activates at runtime under CONFIG_DYNAMIC_DEBUG when the operator enables debug tracing for the caam module (e.g., via /sys/kernel/debug/dynamic_debug/control). The fix replaces this call with print_hex_dump_devel(), which is compiled out unless DEBUG is defined at build time for that specific translation unit - a much stricter gate that prevents runtime activation of key material logging. The root cause aligns with CWE-532 (Insertion of Sensitive Information into Log File), though NVD lists no CWE. The affected CPE is cpe:2.3:a:linux:linux:*:*:*:*:*:*:*:*, with the vulnerability present since approximately Linux 3.6 when the CAAM driver was introduced.
RemediationAI
The primary fix is upgrading to a patched stable kernel version: 6.6.140, 6.12.88, 6.18.30, 7.0.7, or any 7.1-rc1 or later release. Patches are available at the upstream kernel stable tree references provided (git.kernel.org/stable). If immediate kernel upgrade is not possible, the most effective compensating control is to ensure dynamic debug is not enabled for the caam module at runtime - verify that no activation entries for 'caam' or 'caamhash' appear in /sys/kernel/debug/dynamic_debug/control, and restrict write access to that interface to root only. As an additional layer, restrict read access to dmesg and kernel debug logs (e.g., via kernel.dmesg_restrict=1 sysctl, which limits dmesg to CAP_SYS_ADMIN), though this does not prevent disclosure to privileged local users. Note that disabling dynamic debug system-wide may impair kernel debugging capabilities for operators - assess this trade-off before applying. Advisory and patch tracking reference: https://nvd.nist.gov/vuln/detail/CVE-2026-46291 and EUVD-2026-35157.
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-35157
GHSA-66f6-qxv2-c6gr