CVE-2026-43492
Gravedad CVSS v3.1:
MEDIA
Tipo:
CWE-190
Desbordamiento o ajuste de enteros
Fecha de publicación:
19/05/2026
Última modificación:
26/06/2026
Descripción
*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br />
<br />
lib/crypto: mpi: Fix integer underflow in mpi_read_raw_from_sgl()<br />
<br />
Yiming reports an integer underflow in mpi_read_raw_from_sgl() when<br />
subtracting "lzeros" from the unsigned "nbytes".<br />
<br />
For this to happen, the scatterlist "sgl" needs to occupy more bytes<br />
than the "nbytes" parameter and the first "nbytes + 1" bytes of the<br />
scatterlist must be zero. Under these conditions, the while loop<br />
iterating over the scatterlist will count more zeroes than "nbytes",<br />
subtract the number of zeroes from "nbytes" and cause the underflow.<br />
<br />
When commit 2d4d1eea540b ("lib/mpi: Add mpi sgl helpers") originally<br />
introduced the bug, it couldn&#39;t be triggered because all callers of<br />
mpi_read_raw_from_sgl() passed a scatterlist whose length was equal to<br />
"nbytes".<br />
<br />
However since commit 63ba4d67594a ("KEYS: asymmetric: Use new crypto<br />
interface without scatterlists"), the underflow can now actually be<br />
triggered. When invoking a KEYCTL_PKEY_ENCRYPT system call with a<br />
larger "out_len" than "in_len" and filling the "in" buffer with zeroes,<br />
crypto_akcipher_sync_prep() will create an all-zero scatterlist used for<br />
both the "src" and "dst" member of struct akcipher_request and thereby<br />
fulfil the conditions to trigger the bug:<br />
<br />
sys_keyctl()<br />
keyctl_pkey_e_d_s()<br />
asymmetric_key_eds_op()<br />
software_key_eds_op()<br />
crypto_akcipher_sync_encrypt()<br />
crypto_akcipher_sync_prep()<br />
crypto_akcipher_encrypt()<br />
rsa_enc()<br />
mpi_read_raw_from_sgl()<br />
<br />
To the user this will be visible as a DoS as the kernel spins forever,<br />
causing soft lockup splats as a side effect.<br />
<br />
Fix it.
Impacto
Puntuación base 3.x
5.50
Gravedad 3.x
MEDIA
Productos y versiones vulnerables
| CPE | Desde | Hasta |
|---|---|---|
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 4.4 (incluyendo) | 5.10.259 (excluyendo) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 5.11 (incluyendo) | 5.15.210 (excluyendo) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 5.16 (incluyendo) | 6.1.176 (excluyendo) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 6.2 (incluyendo) | 6.6.140 (excluyendo) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 6.7 (incluyendo) | 6.12.88 (excluyendo) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 6.13 (incluyendo) | 6.18.30 (excluyendo) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 6.19 (incluyendo) | 7.0.7 (excluyendo) |
Para consultar la lista completa de nombres de CPE con productos y versiones, ver esta página
Referencias a soluciones, herramientas e información
- https://git.kernel.org/stable/c/1abd50fc3cfa16fc2074a3c8c2729c50fd9d7043
- https://git.kernel.org/stable/c/26d3a97ad46c7a9226ec04d4bf35bd4998a97d16
- https://git.kernel.org/stable/c/2aa77a18dc7f2670497fe3ee5acbeda0b57659e5
- https://git.kernel.org/stable/c/30e513e755bb381afce6fb57cdc8694136193f22
- https://git.kernel.org/stable/c/6d63615c796c085b4984e3031b9fa77fffb47360
- https://git.kernel.org/stable/c/8637dfb4c1d8a7026ef681f2477c6de8b71c4003
- https://git.kernel.org/stable/c/8c2f1288250a90a4b5cabed5d888d7e3aeed4035
- https://git.kernel.org/stable/c/a1793a48881ec8d26e9c79b0ee65753f1c6846a4



