{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-23344", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2026-01-13T15:37:45.999Z", "datePublished": "2026-03-25T10:27:31.795Z", "dateUpdated": "2026-03-25T10:27:31.795Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2026-03-25T10:27:31.795Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncrypto: ccp - Fix use-after-free on error path\n\nIn the error path of sev_tsm_init_locked(), the code dereferences 't'\nafter it has been freed with kfree(). The pr_err() statement attempts\nto access t->tio_en and t->tio_init_done after the memory has been\nreleased.\n\nMove the pr_err() call before kfree(t) to access the fields while the\nmemory is still valid.\n\nThis issue reported by Smatch static analyser"}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/crypto/ccp/sev-dev-tsm.c"], "versions": [{"version": "4be423572da1f4c11f45168e3fafda870ddac9f8", "lessThan": "79a26fe3175b9ed7c0c9541b197cb9786237c0f7", "status": "affected", "versionType": "git"}, {"version": "4be423572da1f4c11f45168e3fafda870ddac9f8", "lessThan": "889b0e2721e793eb46cf7d17b965aa3252af3ec8", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/crypto/ccp/sev-dev-tsm.c"], "versions": [{"version": "6.19", "status": "affected"}, {"version": "0", "lessThan": "6.19", "status": "unaffected", "versionType": "semver"}, {"version": "6.19.7", "lessThanOrEqual": "6.19.*", "status": "unaffected", "versionType": "semver"}, {"version": "7.0-rc3", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.19", "versionEndExcluding": "6.19.7"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.19", "versionEndExcluding": "7.0-rc3"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/79a26fe3175b9ed7c0c9541b197cb9786237c0f7"}, {"url": "https://git.kernel.org/stable/c/889b0e2721e793eb46cf7d17b965aa3252af3ec8"}], "title": "crypto: ccp - Fix use-after-free on error path", "x_generator": {"engine": "bippy-1.2.0"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncrypto: ccp - Fix use-after-free on error path\n\nIn the error path of sev_tsm_init_locked(), the code dereferences 't'\nafter it has been freed with kfree(). The pr_err() statement attempts\nto access t->tio_en and t->tio_init_done after the memory has been\nreleased.\n\nMove the pr_err() call before kfree(t) to access the fields while the\nmemory is still valid.\n\nThis issue reported by Smatch static analyser"}], "id": "CVE-2026-23344", "lastModified": "2026-03-25T15:41:33.977", "metrics": {}, "published": "2026-03-25T11:16:32.493", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/79a26fe3175b9ed7c0c9541b197cb9786237c0f7"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/889b0e2721e793eb46cf7d17b965aa3252af3ec8"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Awaiting Analysis"}

{"bugzilla": {"description": "kernel: crypto: ccp - Fix use-after-free on error path", "id": "2451184", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2451184"}, "csaw": false, "cwe": "CWE-825", "details": ["A flaw was found in the Linux kernel's crypto: ccp module. A use-after-free vulnerability exists in the `sev_tsm_init_locked()` function's error handling path. This occurs when the system attempts to access memory that has already been released, leading to a memory corruption vulnerability. This could potentially result in system instability or a denial of service (DoS)."], "name": "CVE-2026-23344", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2026-03-25T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-23344\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-23344\nhttps://lore.kernel.org/linux-cve-announce/2026032535-CVE-2026-23344-0279@gregkh/T"]}

{"analysis": {"en": {"generated_at": "2026-03-25T12:13:03.829225+00:00", "value": {"mitigation_remediation": ["Apply the latest Linux kernel update that includes the commit 79a26fe3175b9ed7c0c9541b197cb9786237c0f7 or a later patch that moves the error logging before the kfree call.", "If a full kernel upgrade is not immediately possible, unload or disable the ccp crypto module on systems where it is not required.", "Monitor kernel logs for the pr_err message referencing t->tio_en or t->tio_init_done that occurs after a freed pointer, which could indicate an attempt to trigger the flaw."], "summary": {"action": "Apply Patch", "impact": "Denial of Service (Kernel Crash)"}, "threat_synthesis": {"affected_systems": "This vulnerability applies to Linux kernel builds that include the ccp crypto driver before the commit resolving the error path was merged. No specific kernel release numbers are listed, but the fix is present in the upstream kernel source starting with the commit referenced in the vendor references. Any distribution shipping a kernel that contains the old ccp driver code is potentially affected until it is updated.", "description_and_impact": "The flaw is a use\u2011after\u2011free in the Linux kernel\u2019s ccp crypto driver. In the error path of sev_tsm_init_locked(), the code dereferences a structure after it has been freed with kfree(). The pr_err() function tries to access fields of the freed structure, which can trigger a kernel oops and bring the system down. The vulnerability is a classic buffer misuse fault (CWE\u2011416).", "risk_and_exploitability": "The CVSS metrics are not supplied, but a use\u2011after\u2011free in privileged kernel code is considered a severe flaw that can lead to a system crash. No EPSS score is available and the issue is not listed in the CISA KEV catalog, indicating that there is no known widespread exploitation. The likely attack vector is local; an attacker would need to run user\u2011land code capable of triggering the error path in the ccp driver to provoke the crash."}}}}, "created": "2026-03-25T21:32:10.449977+00:00", "updated": "2026-03-25T21:32:10.450003+00:00", "vendors": [], "weaknesses": ["CWE-416"]}