Description
In the Linux kernel, the following vulnerability has been resolved:

crypto: af_alg - limit RX SG extraction by receive buffer budget

Make af_alg_get_rsgl() limit each RX scatterlist extraction to the
remaining receive buffer budget.

af_alg_get_rsgl() currently uses af_alg_readable() only as a gate
before extracting data into the RX scatterlist. Limit each extraction
to the remaining af_alg_rcvbuf(sk) budget so that receive-side
accounting matches the amount of data attached to the request.

If skcipher cannot obtain enough RX space for at least one chunk while
more data remains to be processed, reject the recvmsg call instead of
rounding the request length down to zero.
Published: 2026-04-25
Score: 5.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Linux kernel’s AF_ALG cryptographic interface contains a flaw in the af_alg_get_rsgl() function that extracts received data from scatterlists without respecting the socket’s receive‑buffer budget. This can result in more data being copied into the socket buffer than it can handle, causing repeated failures of recvmsg or silent truncation of requests and leading to denial of service. The weakness is a buffer allocation control flaw (CWE‑770) and is also classified under the NVD-CWE-noinfo category.

Affected Systems

All Linux kernel builds that include the AF_ALG interface before the patch – regardless of distribution or minor kernel version – are affected. Systems running any kernel that processes af_alg scatterlist extraction without capping for the receive‑buffer budget remain vulnerable until the kernel is updated or the socket budget is manually adjusted.

Risk and Exploitability

The CVSS score of 5.5 classifies the vulnerability as medium severity, whereas the EPSS score of less than 1% indicates a low likelihood of exploitation in the wild. The issue is not listed in CISA’s KEV catalog. Based on the description, it is inferred that an attacker would need local system access and sufficient privileges to interact with AF_ALG sockets, for example by running a malicious process on the same host or exploiting a local privilege escalation. Successful exploitation would manifest as service disruption from repeated recvmsg failures rather than privilege escalation or data exfiltration.

Generated by OpenCVE AI on May 6, 2026 at 22:28 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Linux kernel to a version that includes the af_alg buffer‑budget limit fix
  • If a kernel upgrade is not immediately possible, increase the receive‑buffer budget for AF_ALG sockets or restrict the use of skcipher services to trusted processes to avoid recvmsg rejections
  • Monitor system logs for AF_ALG recvmsg failure messages and investigate any sudden denial‑of‑service symptoms

Generated by OpenCVE AI on May 6, 2026 at 22:28 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DSA Debian DSA DSA-6238-1 linux security update
History

Wed, 06 May 2026 21:30:00 +0000

Type Values Removed Values Added
Weaknesses NVD-CWE-noinfo
CPEs cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc5:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc6:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc7:*:*:*:*:*:*

Mon, 27 Apr 2026 12:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-770
References
Metrics threat_severity

None

 cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

threat_severity

Low

Sat, 25 Apr 2026 09:00:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: crypto: af_alg - limit RX SG extraction by receive buffer budget Make af_alg_get_rsgl() limit each RX scatterlist extraction to the remaining receive buffer budget. af_alg_get_rsgl() currently uses af_alg_readable() only as a gate before extracting data into the RX scatterlist. Limit each extraction to the remaining af_alg_rcvbuf(sk) budget so that receive-side accounting matches the amount of data attached to the request. If skcipher cannot obtain enough RX space for at least one chunk while more data remains to be processed, reject the recvmsg call instead of rounding the request length down to zero.
Title crypto: af_alg - limit RX SG extraction by receive buffer budget
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-05-11T22:13:30.305Z

Reserved: 2026-03-09T15:48:24.130Z

Link: CVE-2026-31677

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Analyzed

Published: 2026-04-25T09:16:01.330

Modified: 2026-05-06T21:29:38.333

Link: CVE-2026-31677

cve-icon Redhat

Severity : Low

Publid Date: 2026-04-25T00:00:00Z

Links: CVE-2026-31677 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-06T22:30:13Z

Weaknesses