The vulnerability resides in the starfive_aes_aead_do_one_req() function of the Linux kernel’s crypto subsystem. An allocation for rctx->adata is made with kzalloc, but when sg_copy_to_buffer() or starfive_aes_hw_init() fails, the function does not free this memory. Because rctx->adata is always freed later only after a successful write_adata operation, an error path can leave the allocation unfreed, resulting in a memory leak. The weakness can lead to gradual degradation of system memory availability, potentially causing the kernel to experience out‑of‑memory conditions over time. The flaw is a classic resource management defect, identified as CWE‑401.

All Linux kernel releases that include the starfive_aes_aead_do_one_req() implementation are affected, until a patch that removes the leak is applied. No specific vendor or version information is provided; the issue appears in upstream Linux kernel source that contains the starfive driver.

The exploitability of this fault is limited to local privileged processes that can load or manipulate the affected crypto module, as the code runs in kernel context. There is no documented remote attack vector. The EPSS score is not available and the vulnerability is not listed in the CISA KEV catalog. Without a CVSS score, the severity assessment remains high, as memory exhaustion is a known critical problem in kernel code, but actual exploit risk is constrained by the lack of remote access or privilege escalation pathways.