CVE-2026-43330 - Vulnerability Details

- crypto: caam - fix overflow on long hmac keys

Description

In the Linux kernel, the following vulnerability has been resolved:

crypto: caam - fix overflow on long hmac keys

When a key longer than block size is supplied, it is copied and then
hashed into the real key. The memory allocated for the copy needs to
be rounded to DMA cache alignment, as otherwise the hashed key may
corrupt neighbouring memory.

The copying is performed using kmemdup, however this leads to an overflow:
reading more bytes (aligned_len - keylen) from the keylen source buffer.
Fix this by replacing kmemdup with kmalloc, followed by memcpy.

Published: 2026-05-08

Score: n/a

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

A buffer overflow occurs in the Linux kernel's caam crypto module when an HMAC key larger than the block size is supplied. The key is duplicated with kmemdup, which incorrectly reads additional bytes from the source buffer, allowing the resulting copy to overwrite adjacent memory. This memory corruption can compromise data integrity and potentially grant an attacker the ability to execute arbitrary code in kernel space, leading to full system compromise, or cause a denial of service by crashing the kernel.

Affected Systems

All Linux kernel implementations that include the caam cryptographic accelerator and use HMAC keys longer than the acceptable block size are affected. No specific kernel versions are listed in the data, so the vulnerability may be present across multiple releases where caam is enabled.

Risk and Exploitability

The CVSS score is not provided, but the described overflow can lead to arbitrary code execution, which is considered a severe impact. Without an EPSS score or KEV listing, the current exploit probability is unknown; however, kernel memory corruption bugs historically are prized by attackers. The most likely attack vector is a local or privileged user who can supply an oversized HMAC key through an application that uses the caam module. Detection would require evidence of neighboring memory corruption or abnormal kernel behavior.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`199354d7fb6eaa2cc5bb650af0bca624baffee35`	affected	< 31022cfde5235c45fa765f0aabeff5f0652852f2
`199354d7fb6eaa2cc5bb650af0bca624baffee35`	affected	< c2fb4984fe09fc176fe4c12d5e3edf626df6511d
`199354d7fb6eaa2cc5bb650af0bca624baffee35`	affected	< aa545df011338df13f0833fc1fabcb15c0521959
`199354d7fb6eaa2cc5bb650af0bca624baffee35`	affected	< cebc5ebd958346195b77f42d0cd5141b4e448fae
`199354d7fb6eaa2cc5bb650af0bca624baffee35`	affected	< 80688afb9c35b3934ce2d6be9973758915e2e0ef

Linux

affected

Version	Status	Constraints
`6.3`	affected	—
`0`	unaffected	< 6.3
`6.6.134`	unaffected	≤ 6.6.*
`6.12.81`	unaffected	≤ 6.12.*
`6.18.22`	unaffected	≤ 6.18.*
`6.19.12`	unaffected	≤ 6.19.*
`7.0`	unaffected	≤ *

No data.

Vendor Product Confidence Versions

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`[199354d7fb6eaa2cc5bb650af0bca624baffee35,31022cfde5235c45fa765f0aabeff5f0652852f2)`	affected	code_commit	—
`[199354d7fb6eaa2cc5bb650af0bca624baffee35,c2fb4984fe09fc176fe4c12d5e3edf626df6511d)`	affected	code_commit	—
`[199354d7fb6eaa2cc5bb650af0bca624baffee35,aa545df011338df13f0833fc1fabcb15c0521959)`	affected	code_commit	—
`[199354d7fb6eaa2cc5bb650af0bca624baffee35,cebc5ebd958346195b77f42d0cd5141b4e448fae)`	affected	code_commit	—
`[199354d7fb6eaa2cc5bb650af0bca624baffee35,80688afb9c35b3934ce2d6be9973758915e2e0ef)`	affected	code_commit	—

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`6.3`	affected	generic	—
`[0,6.3)`	unaffected	generic	—
`[6.6.134,7.0.0)`	unaffected	semver	—
`[6.12.81,6.13.0)`	unaffected	semver	—
`[6.18.22,6.19.0)`	unaffected	semver	—
`[6.19.12,6.20.0)`	unaffected	semver	—
`[7.0,*]`	unaffected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Apply the kernel patch that replaces kmemdup with kmalloc and memcpy, as shown in the cited git commits.
Verify that the system uses the caam crypto module; if possible, disable or restrict it until the patch is applied.
Ensure that all HMAC keys used with the caam module are no longer than the supported block size to avoid triggering the overflow until the patch is in place.

Generated by OpenCVE AI on May 8, 2026 at 18:33 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00018.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://git.kernel.org/stable/c/31022cfde5235c45fa765f0aabeff5f0652852f2
https://git.kernel.org/stable/c/80688afb9c35b3934ce2d6be9973758915e2e0ef
https://git.kernel.org/stable/c/aa545df011338df13f0833fc1fabcb15c0521959
https://git.kernel.org/stable/c/c2fb4984fe09fc176fe4c12d5e3edf626df6511d
https://git.kernel.org/stable/c/cebc5ebd958346195b77f42d0cd5141b4e448fae

History

Fri, 08 May 2026 19:00:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-119

Fri, 08 May 2026 14:00:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: crypto: caam - fix overflow on long hmac keys When a key longer than block size is supplied, it is copied and then hashed into the real key. The memory allocated for the copy needs to be rounded to DMA cache alignment, as otherwise the hashed key may corrupt neighbouring memory. The copying is performed using kmemdup, however this leads to an overflow: reading more bytes (aligned_len - keylen) from the keylen source buffer. Fix this by replacing kmemdup with kmalloc, followed by memcpy.
Title		crypto: caam - fix overflow on long hmac keys
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/31022cfde5235c45fa765f0aabeff5f0652852f2 https://git.kernel.org/stable/c/80688afb9c35b3934ce2d6be9973758915e2e0ef https://git.kernel.org/stable/c/aa545df011338df13f0833fc1fabcb15c0521959 https://git.kernel.org/stable/c/c2fb4984fe09fc176fe4c12d5e3edf626df6511d https://git.kernel.org/stable/c/cebc5ebd958346195b77f42d0cd5141b4e448fae

Subscriptions

Linux Linux Kernel

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-05-08T13:31:18.133Z

Updated: 2026-05-08T13:31:18.133Z

Reserved: 2026-05-01T14:12:56.002Z

Link: CVE-2026-43330

Vulnrichment

No data.

NVD

Status : Received

Published: 2026-05-08T14:16:42.650

Modified: 2026-05-08T14:16:42.650

Link: CVE-2026-43330

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-08T22:30:18Z

Weaknesses

CWE-119

Impact

Affected Systems

Risk and Exploitability

Tracking

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object