CVE-2026-23222 - Vulnerability Details

- crypto: omap - Allocate OMAP_CRYPTO_FORCE_COPY scatterlists correctly

Description

In the Linux kernel, the following vulnerability has been resolved:

crypto: omap - Allocate OMAP_CRYPTO_FORCE_COPY scatterlists correctly

The existing allocation of scatterlists in omap_crypto_copy_sg_lists()
was allocating an array of scatterlist pointers, not scatterlist objects,
resulting in a 4x too small allocation.

Use sizeof(*new_sg) to get the correct object size.

Published: 2026-02-18

Score: 7.8 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability resides in the Linux kernel’s OMAP cryptographic driver, where an incorrect allocation size for scatterlists can lead to memory corruption. The existing allocation of scatterlists in omap_crypto_copy_sg_lists() was allocating an array of scatterlist pointers, not scatterlist objects, resulting in a 4x too small allocation. Use of an incorrect allocation size results in out‑of‑bounds writes when the driver populates the scatterlist array, potentially overwriting arbitrary kernel memory and enabling arbitrary code execution within kernel mode.

Affected Systems

Linux kernel encryption drivers employing the OMAP_CRYPTO_FORCE_COPY feature are affected. All kernel versions that include the buggy omap_crypto_copy_sg_lists() implementation are vulnerable; the patch is present in kernel releases newer than the commit referenced in the advisory. Specific vendor or product versions are not enumerated beyond the Linux kernel as a whole.

Risk and Exploitability

The CVSS score of 7.8 denotes a high severity. EPSS less than 1% indicates that the likelihood of exploitation is very low at the time of this analysis, and the vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog. The likely attack vector is a local privilege escalation or an attacker with sufficient access to the OMAP crypto device, since the flaw is triggered during driver operations. Exploitation would require influence over driver input to trigger the out‑of‑bounds write and is thus not trivially exploitable by remote actors.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`74ed87e7e7f7197137164738dd0610ccd5ec5ed1`	affected	< 953c81941b0ad373674656b8767c00234ebf17ac
`74ed87e7e7f7197137164738dd0610ccd5ec5ed1`	affected	< 31aff96a41ae6f1f1687c065607875a27c364da8
`74ed87e7e7f7197137164738dd0610ccd5ec5ed1`	affected	< 79f95b51d4278044013672c27519ae88d07013d8
`74ed87e7e7f7197137164738dd0610ccd5ec5ed1`	affected	< 6edf8df4bd29f7bfd245b67b2c31d905f1cfc14b
`74ed87e7e7f7197137164738dd0610ccd5ec5ed1`	affected	< c184341920ed78b6466360ed7b45b8922586c38f
`74ed87e7e7f7197137164738dd0610ccd5ec5ed1`	affected	< 2ed27b5a1174351148c3adbfc0cd86d54072ba2e
`74ed87e7e7f7197137164738dd0610ccd5ec5ed1`	affected	< d1836c628cb72734eb5f7dfd4c996a9c18bba3ad
`74ed87e7e7f7197137164738dd0610ccd5ec5ed1`	affected	< 1562b1fb7e17c1b3addb15e125c718b2be7f5512

Linux

affected

Version	Status	Constraints
`4.13`	affected	—
`0`	unaffected	< 4.13
`5.10.251`	unaffected	≤ 5.10.*
`5.15.201`	unaffected	≤ 5.15.*
`6.1.164`	unaffected	≤ 6.1.*
`6.6.125`	unaffected	≤ 6.6.*
`6.12.72`	unaffected	≤ 6.12.*
`6.18.11`	unaffected	≤ 6.18.*
`6.19.1`	unaffected	≤ 6.19.*
`7.0`	unaffected	≤ *

Configuration 1 [-]

OR	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::

No data.

Vendor Product Confidence Versions

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`[1da177e4c3f41524e886b7f1b8a0c1fc7321cac2,6edf8df4bd29f7bfd245b67b2c31d905f1cfc14b)`	affected	code_commit	—
`[1da177e4c3f41524e886b7f1b8a0c1fc7321cac2,c184341920ed78b6466360ed7b45b8922586c38f)`	affected	code_commit	—
`[1da177e4c3f41524e886b7f1b8a0c1fc7321cac2,2ed27b5a1174351148c3adbfc0cd86d54072ba2e)`	affected	code_commit	—
`[1da177e4c3f41524e886b7f1b8a0c1fc7321cac2,d1836c628cb72734eb5f7dfd4c996a9c18bba3ad)`	affected	code_commit	—

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`[6.6.125,6.7.0)`	unaffected	semver	—
`[6.12.72,6.13.0)`	unaffected	semver	—
`[6.18.11,6.19.0)`	unaffected	semver	—
`[6.19.1,6.20.0)`	unaffected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade to a kernel version that includes the patch correcting the scatterlist allocation; reference the commit logs linked in the advisory.
If using a custom kernel module that relies on the OMAP cryptographic driver, rebuild the module against the patched kernel headers to ensure compatibility.
As a temporary measure, prevent untrusted code from accessing the OMAP cryptographic device by revoking appropriate permissions (e.g., setting device permissions to root‑only or configuring SELinux/AppArmor profiles) or disable the OMAP crypto driver if it is not required.

Generated by OpenCVE AI on April 15, 2026 at 18:13 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
Debian DLA	DLA-4498-1	linux security update
Debian DLA	DLA-4499-1	linux-6.1 security update
Debian DSA	DSA-6141-1	linux security update
Debian DSA	DSA-6163-1	linux security update

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00022.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://git.kernel.org/stable/c/1562b1fb7e17c1b3addb15e125c718b2be7f5512
https://git.kernel.org/stable/c/2ed27b5a1174351148c3adbfc0cd86d54072ba2e
https://git.kernel.org/stable/c/31aff96a41ae6f1f1687c065607875a27c364da8
https://git.kernel.org/stable/c/6edf8df4bd29f7bfd245b67b2c31d905f1cfc14b
https://git.kernel.org/stable/c/79f95b51d4278044013672c27519ae88d07013d8
https://git.kernel.org/stable/c/953c81941b0ad373674656b8767c00234ebf17ac
https://git.kernel.org/stable/c/c184341920ed78b6466360ed7b45b8922586c38f
https://git.kernel.org/stable/c/d1836c628cb72734eb5f7dfd4c996a9c18bba3ad
https://lore.kernel.org/linux-cve-announce/2026021806-CVE-2026-23222-3958@gregkh/T
https://nvd.nist.gov/vuln/detail/CVE-2026-23222
https://www.cve.org/CVERecord?id=CVE-2026-23222

History

Thu, 02 Apr 2026 15:15:00 +0000

Type	Values Removed	Values Added
Metrics	cvssV3_1 `{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}`	cvssV3_1 `{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}`

Wed, 18 Mar 2026 15:00:00 +0000

Type	Values Removed	Values Added
Weaknesses		NVD-CWE-noinfo
Metrics		cvssV3_1 `{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}`

Mon, 23 Feb 2026 03:30:00 +0000

Type	Values Removed	Values Added
References		https://git.kernel.org/stable/c/1562b1fb7e17c1b3addb15e125c718b2be7f5512

Thu, 19 Feb 2026 16:15:00 +0000

Type	Values Removed	Values Added
References		https://git.kernel.org/stable/c/31aff96a41ae6f1f1687c065607875a27c364da8 https://git.kernel.org/stable/c/79f95b51d4278044013672c27519ae88d07013d8 https://git.kernel.org/stable/c/953c81941b0ad373674656b8767c00234ebf17ac

Thu, 19 Feb 2026 00:15:00 +0000

Type	Values Removed	Values Added
References		https://lore.kernel.org/linux-cve-announce/2026021806-CVE-2026-23222-3958@gregkh/T https://nvd.nist.gov/vuln/detail/CVE-2026-23222 https://www.cve.org/CVERecord?id=CVE-2026-23222

Wed, 18 Feb 2026 15:30:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: crypto: omap - Allocate OMAP_CRYPTO_FORCE_COPY scatterlists correctly The existing allocation of scatterlists in omap_crypto_copy_sg_lists() was allocating an array of scatterlist pointers, not scatterlist objects, resulting in a 4x too small allocation. Use sizeof(*new_sg) to get the correct object size.
Title		crypto: omap - Allocate OMAP_CRYPTO_FORCE_COPY scatterlists correctly
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/2ed27b5a1174351148c3adbfc0cd86d54072ba2e https://git.kernel.org/stable/c/6edf8df4bd29f7bfd245b67b2c31d905f1cfc14b https://git.kernel.org/stable/c/c184341920ed78b6466360ed7b45b8922586c38f https://git.kernel.org/stable/c/d1836c628cb72734eb5f7dfd4c996a9c18bba3ad

Subscriptions

Linux Linux Kernel

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-02-18T14:53:25.504Z

Updated: 2026-04-13T06:02:37.510Z

Reserved: 2026-01-13T15:37:45.987Z

Link: CVE-2026-23222

Vulnrichment

No data.

NVD

Status : Modified

Published: 2026-02-18T16:22:31.920

Modified: 2026-04-02T15:16:23.297

Link: CVE-2026-23222

Redhat

Severity :

Publid Date: 2026-02-18T00:00:00Z

Links: CVE-2026-23222 - Bugzilla

OpenCVE Enrichment

Updated: 2026-04-15T18:15:10Z

Weaknesses

NVD-CWE-noinfo

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object