CVE-2026-43492 - Vulnerability Details

- lib/crypto: mpi: Fix integer underflow in mpi_read_raw_from_sgl()

Description

In the Linux kernel, the following vulnerability has been resolved:

lib/crypto: mpi: Fix integer underflow in mpi_read_raw_from_sgl()

Yiming reports an integer underflow in mpi_read_raw_from_sgl() when
subtracting "lzeros" from the unsigned "nbytes".

For this to happen, the scatterlist "sgl" needs to occupy more bytes
than the "nbytes" parameter and the first "nbytes + 1" bytes of the
scatterlist must be zero. Under these conditions, the while loop
iterating over the scatterlist will count more zeroes than "nbytes",
subtract the number of zeroes from "nbytes" and cause the underflow.

When commit 2d4d1eea540b ("lib/mpi: Add mpi sgl helpers") originally
introduced the bug, it couldn't be triggered because all callers of
mpi_read_raw_from_sgl() passed a scatterlist whose length was equal to
"nbytes".

However since commit 63ba4d67594a ("KEYS: asymmetric: Use new crypto
interface without scatterlists"), the underflow can now actually be
triggered. When invoking a KEYCTL_PKEY_ENCRYPT system call with a
larger "out_len" than "in_len" and filling the "in" buffer with zeroes,
crypto_akcipher_sync_prep() will create an all-zero scatterlist used for
both the "src" and "dst" member of struct akcipher_request and thereby
fulfil the conditions to trigger the bug:

sys_keyctl()
keyctl_pkey_e_d_s()
asymmetric_key_eds_op()
software_key_eds_op()
crypto_akcipher_sync_encrypt()
crypto_akcipher_sync_prep()
crypto_akcipher_encrypt()
rsa_enc()
mpi_read_raw_from_sgl()

To the user this will be visible as a DoS as the kernel spins forever,
causing soft lockup splats as a side effect.

Fix it.

Published: 2026-05-19

Score: n/a

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability is an integer underflow in the Linux kernel’s mpi_read_raw_from_sgl() function. When the number of leading zeros in the input scatterlist exceeds the supplied byte count, the subtraction of the zero count from the unsigned byte count results in an underflow. The subsequent loop over the scatterlist never terminates, causing the kernel to spin indefinitely and ultimately generate a soft lockup. This manifests as a denial of service to the affected system.

Affected Systems

All Linux kernel implementations that include the lib/crypto mpi module are affected. The issue can be triggered through the KEYCTL_PKEY_EN system call, which builds an all‑zero scatterlist when the output length is larger than the input length. Any system running a vulnerable kernel and capable of invoking the asymmetric key encrypt operation via keyctl is vulnerable, regardless of distribution or kernel version prior to the patch.

Risk and Exploitability

The vulnerability has no current EPSS score or KEV listing, but it allows a local user to induce a kernel soft lockup, signifying a high severity Denial of Service. The attack vector requires the ability to call KEYCTL_PKEY_EN with parameters that satisfy the trigger conditions; this can normally be performed by any user with permission to use the keyctl API. With the missing score information, the risk should still be treated as high due to the destructive impact of a kernel lockup.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`2d4d1eea540b27c72488fd1914674c42473d53df`	affected	< 2aa77a18dc7f2670497fe3ee5acbeda0b57659e5
`2d4d1eea540b27c72488fd1914674c42473d53df`	affected	< 26d3a97ad46c7a9226ec04d4bf35bd4998a97d16
`2d4d1eea540b27c72488fd1914674c42473d53df`	affected	< 8637dfb4c1d8a7026ef681f2477c6de8b71c4003
`2d4d1eea540b27c72488fd1914674c42473d53df`	affected	< 30e513e755bb381afce6fb57cdc8694136193f22
`2d4d1eea540b27c72488fd1914674c42473d53df`	affected	< 8c2f1288250a90a4b5cabed5d888d7e3aeed4035

Linux

affected

Version	Status	Constraints
`4.4`	affected	—
`0`	unaffected	< 4.4
`6.6.140`	unaffected	≤ 6.6.*
`6.12.88`	unaffected	≤ 6.12.*
`6.18.30`	unaffected	≤ 6.18.*
`7.0.7`	unaffected	≤ 7.0.*
`7.1-rc1`	unaffected	≤ *

No data.

Vendor Product Confidence Versions

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`[2d4d1eea540b27c72488fd1914674c42473d53df,2aa77a18dc7f2670497fe3ee5acbeda0b57659e5)`	affected	code_commit	—
`[2d4d1eea540b27c72488fd1914674c42473d53df,26d3a97ad46c7a9226ec04d4bf35bd4998a97d16)`	affected	code_commit	—
`[2d4d1eea540b27c72488fd1914674c42473d53df,8637dfb4c1d8a7026ef681f2477c6de8b71c4003)`	affected	code_commit	—
`[2d4d1eea540b27c72488fd1914674c42473d53df,30e513e755bb381afce6fb57cdc8694136193f22)`	affected	code_commit	—
`[2d4d1eea540b27c72488fd1914674c42473d53df,8c2f1288250a90a4b5cabed5d888d7e3aeed4035)`	affected	code_commit	—

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`4.4`	affected	generic	—
`[0,4.4)`	unaffected	generic	—
`[6.6.140,6.7.0)`	unaffected	semver	—
`[6.12.88,6.13.0)`	unaffected	semver	—
`[6.18.30,6.19.0)`	unaffected	semver	—
`[7.0.7,7.1.0)`	unaffected	semver	—
`[7.1-rc1,*]`	unaffected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade the Linux kernel to a release that includes the commit that fixes mpi_read_raw_from_sgl()
If an upgrade is not immediately possible, avoid invoking KEYCTL_PKEY_EN with an output length larger than the input length and ensure the input buffer is not all zeros
Apply the upstream patch containing the fix manually to the kernel source and rebuild the kernel

Generated by OpenCVE AI on May 19, 2026 at 12:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00018.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://git.kernel.org/stable/c/26d3a97ad46c7a9226ec04d4bf35bd4998a97d16
https://git.kernel.org/stable/c/2aa77a18dc7f2670497fe3ee5acbeda0b57659e5
https://git.kernel.org/stable/c/30e513e755bb381afce6fb57cdc8694136193f22
https://git.kernel.org/stable/c/8637dfb4c1d8a7026ef681f2477c6de8b71c4003
https://git.kernel.org/stable/c/8c2f1288250a90a4b5cabed5d888d7e3aeed4035

History

Tue, 19 May 2026 12:45:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-129 CWE-734

Tue, 19 May 2026 11:30:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: lib/crypto: mpi: Fix integer underflow in mpi_read_raw_from_sgl() Yiming reports an integer underflow in mpi_read_raw_from_sgl() when subtracting "lzeros" from the unsigned "nbytes". For this to happen, the scatterlist "sgl" needs to occupy more bytes than the "nbytes" parameter and the first "nbytes + 1" bytes of the scatterlist must be zero. Under these conditions, the while loop iterating over the scatterlist will count more zeroes than "nbytes", subtract the number of zeroes from "nbytes" and cause the underflow. When commit 2d4d1eea540b ("lib/mpi: Add mpi sgl helpers") originally introduced the bug, it couldn't be triggered because all callers of mpi_read_raw_from_sgl() passed a scatterlist whose length was equal to "nbytes". However since commit 63ba4d67594a ("KEYS: asymmetric: Use new crypto interface without scatterlists"), the underflow can now actually be triggered. When invoking a KEYCTL_PKEY_ENCRYPT system call with a larger "out_len" than "in_len" and filling the "in" buffer with zeroes, crypto_akcipher_sync_prep() will create an all-zero scatterlist used for both the "src" and "dst" member of struct akcipher_request and thereby fulfil the conditions to trigger the bug: sys_keyctl() keyctl_pkey_e_d_s() asymmetric_key_eds_op() software_key_eds_op() crypto_akcipher_sync_encrypt() crypto_akcipher_sync_prep() crypto_akcipher_encrypt() rsa_enc() mpi_read_raw_from_sgl() To the user this will be visible as a DoS as the kernel spins forever, causing soft lockup splats as a side effect. Fix it.
Title		lib/crypto: mpi: Fix integer underflow in mpi_read_raw_from_sgl()
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/26d3a97ad46c7a9226ec04d4bf35bd4998a97d16 https://git.kernel.org/stable/c/2aa77a18dc7f2670497fe3ee5acbeda0b57659e5 https://git.kernel.org/stable/c/30e513e755bb381afce6fb57cdc8694136193f22 https://git.kernel.org/stable/c/8637dfb4c1d8a7026ef681f2477c6de8b71c4003 https://git.kernel.org/stable/c/8c2f1288250a90a4b5cabed5d888d7e3aeed4035

Subscriptions

Linux Linux Kernel

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-05-19T10:44:24.719Z

Updated: 2026-05-19T10:44:24.719Z

Reserved: 2026-05-01T14:12:56.013Z

Link: CVE-2026-43492

Vulnrichment

No data.

NVD

Status : Received

Published: 2026-05-19T12:16:18.880

Modified: 2026-05-19T12:16:18.880

Link: CVE-2026-43492

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-19T12:30:05Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object