Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Local crypto-API access only (AV:L), exploitation needs winning a heavy-load timing race (AC:H), low-priv local use of the driver suffices (PR:L); kernel UAF yields high C/I/A.
Primary rating from Vendor (Linux).
CVSS VectorVendor: Linux
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
5DescriptionCVE.org
In the Linux kernel, the following vulnerability has been resolved:
crypto: hisilicon/sec2 - prevent req used-after-free for sec
During packet transmission, if the system is under heavy load, the hardware might complete processing the packet and free the request memory (req) before the transmission function finishes. If the software subsequently accesses this req, a use-after-free error will occur. The qp_ctx memory exists throughout the packet sending process, so replace the req with the qp_ctx.
AnalysisAI
Use-after-free in the Linux kernel's HiSilicon SEC2 crypto accelerator driver (crypto/hisilicon/sec2) allows local memory corruption when, under heavy load, the hardware completes and frees a request (req) before the software transmission path finishes referencing it. The fix replaces the freed req with the longer-lived qp_ctx pointer. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Requires the HiSilicon SEC2 crypto driver (drivers/crypto/hisilicon/sec2) to be loaded and active on physical HiSilicon SEC accelerator hardware, plus local access to submit crypto offload work. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | Signals conflict sharply. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | A local user or compromised low-privilege process drives sustained crypto offload requests through the SEC2 driver on a HiSilicon-equipped host; under heavy load the hardware frees a request structure that the send path then dereferences, corrupting kernel memory. With careful heap grooming this use-after-free could be steered toward information disclosure or privilege escalation, though no public PoC exists and exploitation requires winning a timing race. |
| Remediation | Upstream fix available (commits/stable patches); released patched version not independently confirmed beyond the stable references. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
24 hours: Query infrastructure team to identify all systems with HiSilicon SEC2 crypto accelerators and document current Linux kernel versions. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-38923
GHSA-22hh-g7wj-354w