Description
In the Linux kernel, the following vulnerability has been resolved:

lib/crypto: chacha: Zeroize permuted_state before it leaves scope

Since the ChaCha permutation is invertible, the local variable
'permuted_state' is sufficient to compute the original 'state', and thus
the key, even after the permutation has been done.

While the kernel is quite inconsistent about zeroizing secrets on the
stack (and some prominent userspace crypto libraries don't bother at all
since it's not guaranteed to work anyway), the kernel does try to do it
as a best practice, especially in cases involving the RNG.

Thus, explicitly zeroize 'permuted_state' before it goes out of scope.
Published: 2026-05-08
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An in‑kernel ChaCha implementation stored a temporary variable, permuted_state, on the stack, and failed to overwrite it before it went out of scope. Because the ChaCha permutation is reversible, an attacker who can read the kernel stack can recover the original state and thus the encryption key. The resulting key disclosure compromises all cryptographic operations that rely on ChaCha, including random number generation and authenticated encryption. This flaw represents a classic secret memory disclosure.

Affected Systems

All Linux kernel versions that include the vulnerable ChaCha implementation, until the security patch is applied. The vulnerability is present in the kernel’s crypto subsystem across all distributions that ship an unpatched kernel.

Risk and Exploitability

With a CVSS score of 7.5, the flaw carries a high confidentiality impact. Based on the description, it is inferred that an attacker would need the ability to inspect kernel memory, such as through local privilege escalation or a kernel‑level payload, to recover encryption keys. No public exploit is known, and the EPSS score indicates a very low probability of exploitation (< 1 %). However, given that the vulnerability exposes critical cryptographic material, the risk is considered high. The vulnerability is not currently listed in the CISA KEV catalog, but it should be treated as a serious flaw due to its direct key‑compromise potential.

Generated by OpenCVE AI on May 16, 2026 at 03:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Linux kernel to the latest patched release that zeroes permuted_state in the ChaCha code, thereby eliminating the secret data exposure identified as CWE‑212.
  • Reboot the system to load the patched kernel and ensure the updated code is active, preventing any residual leakage of the encryption key.
  • Check for and remove any unpatched or custom kernel modules that may use the old ChaCha implementation to avoid reintroducing the secret‑storage weakness (CWE‑212).

Generated by OpenCVE AI on May 16, 2026 at 03:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DLA Debian DLA DLA-4606-1 linux security update
History

Sat, 16 May 2026 02:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-200
CWE-255

Sat, 16 May 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-200
CWE-212
CWE-255
References

Fri, 15 May 2026 22:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-200
CWE-255

Fri, 15 May 2026 20:00:00 +0000

Type Values Removed Values Added
Weaknesses NVD-CWE-noinfo
CPEs cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc5:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc6:*:*:*:*:*:*

Mon, 11 May 2026 18:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-200
CWE-255

Mon, 11 May 2026 09:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-284
CWE-319

Mon, 11 May 2026 07:45:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

Fri, 08 May 2026 19:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-284
CWE-319

Fri, 08 May 2026 14:00:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: lib/crypto: chacha: Zeroize permuted_state before it leaves scope Since the ChaCha permutation is invertible, the local variable 'permuted_state' is sufficient to compute the original 'state', and thus the key, even after the permutation has been done. While the kernel is quite inconsistent about zeroizing secrets on the stack (and some prominent userspace crypto libraries don't bother at all since it's not guaranteed to work anyway), the kernel does try to do it as a best practice, especially in cases involving the RNG. Thus, explicitly zeroize 'permuted_state' before it goes out of scope.
Title lib/crypto: chacha: Zeroize permuted_state before it leaves scope
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-05-11T22:22:35.963Z

Reserved: 2026-05-01T14:12:56.002Z

Link: CVE-2026-43336

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Analyzed

Published: 2026-05-08T14:16:43.383

Modified: 2026-05-15T19:57:38.640

Link: CVE-2026-43336

cve-icon Redhat

Severity :

Publid Date: 2026-05-08T00:00:00Z

Links: CVE-2026-43336 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-16T03:30:14Z

Weaknesses