CVE-2026-43492

medium

Description

In the Linux kernel, the following vulnerability has been resolved: lib/crypto: mpi: Fix integer underflow in mpi_read_raw_from_sgl() Yiming reports an integer underflow in mpi_read_raw_from_sgl() when subtracting "lzeros" from the unsigned "nbytes". For this to happen, the scatterlist "sgl" needs to occupy more bytes than the "nbytes" parameter and the first "nbytes + 1" bytes of the scatterlist must be zero. Under these conditions, the while loop iterating over the scatterlist will count more zeroes than "nbytes", subtract the number of zeroes from "nbytes" and cause the underflow. When commit 2d4d1eea540b ("lib/mpi: Add mpi sgl helpers") originally introduced the bug, it couldn't be triggered because all callers of mpi_read_raw_from_sgl() passed a scatterlist whose length was equal to "nbytes". However since commit 63ba4d67594a ("KEYS: asymmetric: Use new crypto interface without scatterlists"), the underflow can now actually be triggered. When invoking a KEYCTL_PKEY_ENCRYPT system call with a larger "out_len" than "in_len" and filling the "in" buffer with zeroes, crypto_akcipher_sync_prep() will create an all-zero scatterlist used for both the "src" and "dst" member of struct akcipher_request and thereby fulfil the conditions to trigger the bug: sys_keyctl() keyctl_pkey_e_d_s() asymmetric_key_eds_op() software_key_eds_op() crypto_akcipher_sync_encrypt() crypto_akcipher_sync_prep() crypto_akcipher_encrypt() rsa_enc() mpi_read_raw_from_sgl() To the user this will be visible as a DoS as the kernel spins forever, causing soft lockup splats as a side effect. Fix it.

References

https://git.kernel.org/stable/c/a1793a48881ec8d26e9c79b0ee65753f1c6846a4

https://git.kernel.org/stable/c/8c2f1288250a90a4b5cabed5d888d7e3aeed4035

https://git.kernel.org/stable/c/8637dfb4c1d8a7026ef681f2477c6de8b71c4003

https://git.kernel.org/stable/c/6d63615c796c085b4984e3031b9fa77fffb47360

https://git.kernel.org/stable/c/30e513e755bb381afce6fb57cdc8694136193f22

https://git.kernel.org/stable/c/2aa77a18dc7f2670497fe3ee5acbeda0b57659e5

https://git.kernel.org/stable/c/26d3a97ad46c7a9226ec04d4bf35bd4998a97d16

https://git.kernel.org/stable/c/1abd50fc3cfa16fc2074a3c8c2729c50fd9d7043

Details

Source: Mitre, NVD

Published: 2026-05-19

Updated: 2026-06-26

Risk Information

CVSS v2

Base Score: 4.6

Vector: CVSS2#AV:L/AC:L/Au:S/C:N/I:N/A:C

Severity: Medium

CVSS v3

Base Score: 5.5

Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Severity: Medium

EPSS

EPSS: 0.00018