CVE-2026-31746 - Vulnerability Details

- s390/zcrypt: Fix memory leak with CCA cards used as accelerator

Description

In the Linux kernel, the following vulnerability has been resolved:

s390/zcrypt: Fix memory leak with CCA cards used as accelerator

Tests showed that there is a memory leak if CCA cards are used as
accelerator for clear key RSA requests (ME and CRT). With the last
rework for the memory allocation the AP messages are allocated by
ap_init_apmsg() but for some reason on two places (ME and CRT) the
older allocation was still in place. So the first allocation simple
was never freed.

Published: 2026-05-01

Score: 5.5 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

In the Linux kernel for the s390 architecture, a memory leak exists in the zcrypt subsystem when CCA cards are used as accelerators for clear-key RSA requests in ME and CRT modes. The flaw arises because memory allocated by ap_init_apmsg() is never freed in these code paths, causing persistent kernel memory consumption each time such requests occur. This is a CWE-401 and CWE-772 flaw that can exhaust kernel RAM, leading to system instability or a full denial of service.

Affected Systems

Any Linux kernel running on s390 hardware that employs CCA card acceleration for RSA clear-key operations is affected. The advisory does not specify exact kernel versions, so all builds containing the unpatched zcrypt code for the ME or CRT pathways are potentially vulnerable.

Risk and Exploitability

The EPSS score is <1% and the vulnerability is not listed in the CISA KEV catalog, indicating no known active exploitation but an inherent risk if the flaw is present. The CVSS score of 5.5 indicates a moderate severity. The CWE-401 and CWE-772 flaws cause a memory leak when CCA cards process clear-key RSA requests in ME and CRT modes, allowing an attacker to repeatedly trigger the leak via repeated RSA requests. This can exhaust kernel memory, lead to crashes, or otherwise render the system inoperable.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`57db62a130ce69e6f3a870cf1119d8f860391f97`	affected	< 586222c37d4027dbf60a604fbe820184fee7c1c9
`57db62a130ce69e6f3a870cf1119d8f860391f97`	affected	< ace37bfec3822033e59fff390f2ff99fc96ebe4f
`57db62a130ce69e6f3a870cf1119d8f860391f97`	affected	< c8d46f17c2fc7d25c18e60c008928aecab26184d

Linux

affected

Version	Status	Constraints
`6.16`	affected	—
`0`	unaffected	< 6.16
`6.18.22`	unaffected	≤ 6.18.*
`6.19.12`	unaffected	≤ 6.19.*
`7.0`	unaffected	≤ *

Configuration 1 [-]

OR	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel:7.0:rc1::::::
	cpe:2.3:o:linux:linux_kernel:7.0:rc2::::::
	cpe:2.3:o:linux:linux_kernel:7.0:rc3::::::
	cpe:2.3:o:linux:linux_kernel:7.0:rc4::::::
	cpe:2.3:o:linux:linux_kernel:7.0:rc5::::::
	cpe:2.3:o:linux:linux_kernel:7.0:rc6::::::

No data.

Vendor Product Confidence Versions

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`[57db62a130ce69e6f3a870cf1119d8f860391f97,586222c37d4027dbf60a604fbe820184fee7c1c9)`	affected	code_commit	—
`[57db62a130ce69e6f3a870cf1119d8f860391f97,ace37bfec3822033e59fff390f2ff99fc96ebe4f)`	affected	code_commit	—
`[57db62a130ce69e6f3a870cf1119d8f860391f97,c8d46f17c2fc7d25c18e60c008928aecab26184d)`	affected	code_commit	—

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`6.16`	affected	generic	—
`[0,6.16)`	unaffected	generic	—
`[6.18.22,6.19.0)`	unaffected	semver	—
`[6.19.12,6.20.0)`	unaffected	semver	—
`[7.0,*]`	unaffected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Apply a Linux kernel update that includes the zcrypt memory-leak fix (commit 586222c37d4027dbf60a604fbe820184fee7c1c9).
Reboot the system to load the patched kernel and to discard any leaked memory structures.
Monitor kernel memory usage and zcrypt activity to confirm that the leak has been eliminated.

Generated by OpenCVE AI on May 7, 2026 at 20:26 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00013.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://git.kernel.org/stable/c/586222c37d4027dbf60a604fbe820184fee7c1c9
https://git.kernel.org/stable/c/ace37bfec3822033e59fff390f2ff99fc96ebe4f
https://git.kernel.org/stable/c/c8d46f17c2fc7d25c18e60c008928aecab26184d
https://lore.kernel.org/linux-cve-announce/2026050141-CVE-2026-31746-82d7@gregkh/T
https://nvd.nist.gov/vuln/detail/CVE-2026-31746
https://www.cve.org/CVERecord?id=CVE-2026-31746

History

Thu, 07 May 2026 19:30:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-401
CPEs		cpe:2.3:o:linux:linux_kernel:7.0:rc1:::::: cpe:2.3:o:linux:linux_kernel:7.0:rc2:::::: cpe:2.3:o:linux:linux_kernel:7.0:rc3:::::: cpe:2.3:o:linux:linux_kernel:7.0:rc4:::::: cpe:2.3:o:linux:linux_kernel:7.0:rc5:::::: cpe:2.3:o:linux:linux_kernel:7.0:rc6::::::
Metrics		cvssV3_1 `{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}`

Sat, 02 May 2026 10:45:00 +0000

Type	Values Removed	Values Added
Weaknesses	CWE-401

Sat, 02 May 2026 00:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-772
References		https://lore.kernel.org/linux-cve-announce/2026050141-CVE-2026-31746-82d7@gregkh/T https://nvd.nist.gov/vuln/detail/CVE-2026-31746 https://www.cve.org/CVERecord?id=CVE-2026-31746

Fri, 01 May 2026 23:45:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-401

Fri, 01 May 2026 14:45:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: s390/zcrypt: Fix memory leak with CCA cards used as accelerator Tests showed that there is a memory leak if CCA cards are used as accelerator for clear key RSA requests (ME and CRT). With the last rework for the memory allocation the AP messages are allocated by ap_init_apmsg() but for some reason on two places (ME and CRT) the older allocation was still in place. So the first allocation simple was never freed.
Title		s390/zcrypt: Fix memory leak with CCA cards used as accelerator
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/586222c37d4027dbf60a604fbe820184fee7c1c9 https://git.kernel.org/stable/c/ace37bfec3822033e59fff390f2ff99fc96ebe4f https://git.kernel.org/stable/c/c8d46f17c2fc7d25c18e60c008928aecab26184d

Subscriptions

Linux Linux Kernel

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-05-01T14:14:40.196Z

Updated: 2026-05-11T22:14:57.832Z

Reserved: 2026-03-09T15:48:24.138Z

Link: CVE-2026-31746

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2026-05-01T15:16:37.363

Modified: 2026-05-07T19:29:56.453

Link: CVE-2026-31746

Redhat

Severity :

Publid Date: 2026-05-01T00:00:00Z

Links: CVE-2026-31746 - Bugzilla

OpenCVE Enrichment

Updated: 2026-05-07T20:30:15Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object