Description
In the Linux kernel, the following vulnerability has been resolved:

crypto: tegra - Add missing CRYPTO_ALG_ASYNC

The tegra crypto driver failed to set the CRYPTO_ALG_ASYNC on its
asynchronous algorithms, causing the crypto API to select them for users
that request only synchronous algorithms. This causes crashes (at
least). Fix this by adding the flag like what the other drivers do.
Also remove the unnecessary CRYPTO_ALG_TYPE_* flags, since those just
get ignored and overridden by the registration function anyway.
Published: 2026-05-01
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The tegra crypto driver omitted setting the CRYPTO_ALG_ASYNC flag on its asynchronous algorithms, triggering a CWE-166 flaw and a CWE-617 flaw in the driver initialization. Because the flag is missing, the crypto API may incorrectly select these asynchronous algorithms when a request specifies only synchronous operation, leading to crashes during user or system-level crypto operations and effectively enabling a denial of service. The likely attack vector involves an entity that can trigger crypto operations that request synchronous algorithms while the tegra driver is loaded, inferred from the description.

Affected Systems

All Linux distributions that ship an unpatched kernel containing the tegra crypto driver are affected. The vulnerability applies to any kernel version released before the patch commits that added the missing flag. Systems that enable the tegra crypto driver in their kernel configuration are the ones that should assess if the driver is active.

Risk and Exploitability

The CVSS score of 8.8 indicates high severity. No public exploits or reported incidents are documented. The EPSS score, reported as less than 1%, indicates a low probability of exploitation, and the vulnerability is not listed in the CISA KEV catalog. An attacker would need to trigger a synchronous crypto request that routes through the tegra driver. Based on the description, it is inferred that such operations can be triggered by user or system-level processes capable of invoking the kernel crypto API. The vulnerability can lead to a kernel crash and interrupt affected services.

Generated by OpenCVE AI on May 7, 2026 at 20:42 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the kernel to a version that includes the tegra driver patch (commits 3aea268b6d5cde3b087df9eeecc3bc620aa09513, 429d05565eb19ee545d8a8395991372adbe4daf3, 4b56770d345524fc2acc143a2b85539cf7d74bc1, bdbf027a4504b4a86740de6beb6d18a957331839).
  • If an upgrade is not immediately possible, prevent the tegra crypto driver from loading by adding a blacklist entry such as "blacklist tegra_crypto" to /etc/modprobe.d/blacklist.conf.
  • If the driver must remain enabled for operational reasons, limit its use by ensuring that only trusted or privileged code performs crypto operations that engage the driver.

Generated by OpenCVE AI on May 7, 2026 at 20:42 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 07 May 2026 19:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-617
CPEs cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc5:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc6:*:*:*:*:*:*

Sun, 03 May 2026 06:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

 cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Sat, 02 May 2026 13:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-746

Sat, 02 May 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-166
References
Metrics threat_severity

None

 cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

threat_severity

Moderate

Sat, 02 May 2026 00:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-746

Fri, 01 May 2026 14:45:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: crypto: tegra - Add missing CRYPTO_ALG_ASYNC The tegra crypto driver failed to set the CRYPTO_ALG_ASYNC on its asynchronous algorithms, causing the crypto API to select them for users that request only synchronous algorithms. This causes crashes (at least). Fix this by adding the flag like what the other drivers do. Also remove the unnecessary CRYPTO_ALG_TYPE_* flags, since those just get ignored and overridden by the registration function anyway.
Title crypto: tegra - Add missing CRYPTO_ALG_ASYNC
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-05-11T22:14:49.577Z

Reserved: 2026-03-09T15:48:24.138Z

Link: CVE-2026-31739

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Analyzed

Published: 2026-05-01T15:16:36.600

Modified: 2026-05-07T19:00:05.323

Link: CVE-2026-31739

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-05-01T00:00:00Z

Links: CVE-2026-31739 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-07T20:45:22Z

Weaknesses