Description
In the Linux kernel, the following vulnerability has been resolved:

crypto: af-alg - fix NULL pointer dereference in scatterwalk

The AF_ALG interface fails to unmark the end of a Scatter/Gather List (SGL)
when chaining a new af_alg_tsgl structure. If a sendmsg() fills an SGL
exactly to MAX_SGL_ENTS, the last entry is marked as the end. A subsequent
sendmsg() allocates a new SGL and chains it, but fails to clear the end
marker on the previous SGL's last data entry.

This causes the crypto scatterwalk to hit a premature end, returning NULL
on sg_next() and leading to a kernel panic during dereference.

Fix this by explicitly unmarking the end of the previous SGL when
performing sg_chain() in af_alg_alloc_tsgl().
Published: 2026-05-01
Score: 5.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

In the Linux kernel, the AF_ALG interface can trigger a NULL pointer dereference when chaining new scatter/gather lists. The problem occurs if a sendmsg() call fills an SGL to its maximum size and a subsequent sendmsg() allocates a new SGL without clearing the end marker on the previous list, causing the crypto scatterwalk to stop early and dereference a null pointer. This results in a kernel panic, abruptly halting system operation. The flaw is a classic NULL pointer dereference (CWE-476) and leads to a top‑tier denial‑of‑service impact.

Affected Systems

All Linux kernel builds that preceded the inclusion of commit 00cbdec17c15d024a1c5002c7365df7624a18a75 and the accompanying patches are vulnerable. The affected code resides in the AF_ALG subsystem and the issue is not restricted to a specific distribution or kernel version identifier. Systems running a kernel without the fix commit are susceptible.

Risk and Exploitability

The vulnerability causes a kernel panic, a severe denial‑of‑service condition. The CVSS score of 5.5 indicates moderate severity. EPSS data are unavailable, so the exploitation probability is unquantified. It is likely exploitable only by a local user who can create and send crafted messages to an AF_ALG socket. Although the vulnerability is not listed in the CISA KEV catalog, the combination of a local privilege requirement and the severe impact makes it a significant risk for environments that use the AF_ALG interface.

Generated by OpenCVE AI on May 2, 2026 at 07:04 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest kernel update that incorporates the AF_ALG NULL pointer dereference fix (commits 00cbdec17c15d024a1c5002c7365df7624a18a75 and subsequent related patches).
  • Reboot the system to load the updated kernel and ensure the new code is active.
  • If AF_ALG functionality is not required in the environment, temporarily restrict or disable access to AF_ALG sockets until the patch is applied.

Generated by OpenCVE AI on May 2, 2026 at 07:04 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DLA Debian DLA DLA-4561-1 linux-6.1 security update
Debian DLA Debian DLA DLA-4606-1 linux security update
Debian DSA Debian DSA DSA-6243-1 linux security update
History

Fri, 08 May 2026 19:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc5:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc6:*:*:*:*:*:*

Sat, 02 May 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-476
References
Metrics threat_severity

None

 cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

threat_severity

Moderate

Fri, 01 May 2026 14:45:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: crypto: af-alg - fix NULL pointer dereference in scatterwalk The AF_ALG interface fails to unmark the end of a Scatter/Gather List (SGL) when chaining a new af_alg_tsgl structure. If a sendmsg() fills an SGL exactly to MAX_SGL_ENTS, the last entry is marked as the end. A subsequent sendmsg() allocates a new SGL and chains it, but fails to clear the end marker on the previous SGL's last data entry. This causes the crypto scatterwalk to hit a premature end, returning NULL on sg_next() and leading to a kernel panic during dereference. Fix this by explicitly unmarking the end of the previous SGL when performing sg_chain() in af_alg_alloc_tsgl().
Title crypto: af-alg - fix NULL pointer dereference in scatterwalk
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-05-11T22:16:36.820Z

Reserved: 2026-05-01T14:12:55.979Z

Link: CVE-2026-43043

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Analyzed

Published: 2026-05-01T15:16:50.563

Modified: 2026-05-08T18:57:17.780

Link: CVE-2026-43043

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-05-01T00:00:00Z

Links: CVE-2026-43043 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-02T07:15:16Z

Weaknesses