Description
In the Linux kernel, the following vulnerability has been resolved:

crypto: ccp - Fix use-after-free on error path

In the error path of sev_tsm_init_locked(), the code dereferences 't'
after it has been freed with kfree(). The pr_err() statement attempts
to access t->tio_en and t->tio_init_done after the memory has been
released.

Move the pr_err() call before kfree(t) to access the fields while the
memory is still valid.

This issue reported by Smatch static analyser
Published: 2026-03-25
Score: 7.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service
Action: Patch
AI Analysis

Impact

The vulnerability is a use‑after‑free in the Linux kernel’s crypto subsystem. The error path of sev_tsm_init_locked() dereferences a structure that has already been freed with kfree(). Accessing t->tio_en and t->tio_init_done after the memory release causes a kernel memory fault, resulting in a crash and a denial of service.

Affected Systems

Linux kernel binaries compiled from the vulnerable source tree are affected, including kernel releases 6.19 and all 7.0 release candidates (rc1 through rc7).

Risk and Exploitability

The CVSS score of 7.8 indicates high severity. The EPSS score is below 1% and the vulnerability is not listed in the CISA KEV catalog. Based on the description, it is inferred that the flaw resides in kernel code and would generally require local privileged execution to trigger the error path. Even a single triggering event could crash the system, leading to a denial of service. The low EPSS suggests that widespread exploitation is unlikely at present.

Generated by OpenCVE AI on April 28, 2026 at 22:03 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply a kernel update that contains the ccp use‑after‑free fix
  • If an update is not yet available, disable the ccp crypto module by unloading the module or compiling the kernel without it
  • Reboot the system to load the updated kernel or disabled module configuration

Generated by OpenCVE AI on April 28, 2026 at 22:03 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 24 Apr 2026 18:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-416
CPEs cpe:2.3:o:linux:linux_kernel:6.19:-:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc5:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc6:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc7:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Thu, 26 Mar 2026 12:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-416

Thu, 26 Mar 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-825
References

Wed, 25 Mar 2026 22:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-416

Wed, 25 Mar 2026 10:45:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: crypto: ccp - Fix use-after-free on error path In the error path of sev_tsm_init_locked(), the code dereferences 't' after it has been freed with kfree(). The pr_err() statement attempts to access t->tio_en and t->tio_init_done after the memory has been released. Move the pr_err() call before kfree(t) to access the fields while the memory is still valid. This issue reported by Smatch static analyser
Title crypto: ccp - Fix use-after-free on error path
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-05-11T22:05:01.536Z

Reserved: 2026-01-13T15:37:45.999Z

Link: CVE-2026-23344

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Analyzed

Published: 2026-03-25T11:16:32.493

Modified: 2026-04-24T18:17:48.577

Link: CVE-2026-23344

cve-icon Redhat

Severity :

Publid Date: 2026-03-25T00:00:00Z

Links: CVE-2026-23344 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T22:15:41Z

Weaknesses