The vulnerability arises from the Linux kernel’s handling of the EIP93 cryptographic accelerator’s options register, which indicates which algorithms are implemented in silicon. The kernel incorrectly unregisters all algorithms regardless of whether the hardware actually supports them. When a platform lacks support for one or more of these algorithms, the kernel fails to initialize properly and panics, leading to a total system outage. This flaw is a classic instance of improper initialization that causes a denial of service, as the system becomes unusable until a reboot or manual intervention.

The flaw resides in the Linux kernel’s crypto subsystem, specifically the EIP93 module. Any Linux distribution whose kernel includes this module—particularly versions that compile the EIP93 driver and do not perform additional checks on supported algorithms—is affected. This includes all mainstream Linux kernels that ship the EIP93 crypto accelerator code path. Users of cloud or embedded platforms that rely on the EIP93 hardware accelerator for cryptographic operations are at particular risk.

The CVSS score is not published, and no EPSS score is available; the flaw is not listed in the CISA KEV catalog. Nonetheless, the impact is severe, as a kernel panic results in a complete loss of availability for the affected host. Exploitation would require triggering the crash (e.g., by booting a system that uses the EIP93 module or by causing the driver to load on a machine lacking full hardware support). Because the flaw is in kernel initialization, it is generally a local issue and does not appear to offer remote code execution. Nonetheless, the high severity of a denial‑of‑service event warrants prompt remediation.