CVE-2026-45959 - Vulnerability Details

- crypto: ccp - Fix a crash due to incorrect cleanup usage of kfree

Description

In the Linux kernel, the following vulnerability has been resolved:

crypto: ccp - Fix a crash due to incorrect cleanup usage of kfree

Annotating a local pointer variable, which will be assigned with the
kmalloc-family functions, with the `__cleanup(kfree)` attribute will
make the address of the local variable, rather than the address returned
by kmalloc, passed to kfree directly and lead to a crash due to invalid
deallocation of stack address. According to other places in the repo,
the correct usage should be `__free(kfree)`. The code coincidentally
compiled because the parameter type `void *` of kfree is compatible with
the desired type `struct { ... } **`.

Published: 2026-05-27

Score: 7.8 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

A local kernel pointer annotated with the cleanup attribute __cleanup(kfree) caused the kernel to free a stack address instead of the memory allocated by kmalloc, leading to an invalid deallocation. This flaw triggers a crash that typically manifests as a kernel panic, resulting in a denial of service. The vulnerability does not grant code execution or data exfiltration; it merely disrupts system availability.

Affected Systems

All Linux kernel installations that employ the unpatched code path are impacted. The commit that introduced the __free(kfree) correction was merged into the mainline kernel; any kernel version derived from a release prior to that commit remains vulnerable. The specific affected kernel code is identified in the references and is present in all mainstream distributions that use the upstream kernel source before the patch was applied.

Risk and Exploitability

No public exploits have been reported and the vulnerability is not listed in the CISA KEV catalog. The CVSS score is 7.8, indicating high severity, while the EPSS score of <1% indicates a low probability of exploitation. Based on the description, it is inferred that the vulnerability requires local privileged execution, so only attackers with local or compromised administrative access can trigger the crash. The overall risk is moderate, primarily affecting availability rather than confidentiality or integrity.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`a71475582ada92ba021852bf3c2b40ab3718549b`	affected	< 9a3ace9b010ffd8c422c97844ae152f7c53d6b18
`a71475582ada92ba021852bf3c2b40ab3718549b`	affected	< 90f9090e3e744a8fe3bb6fa0e61f577347728b0b
`a71475582ada92ba021852bf3c2b40ab3718549b`	affected	< d5abcc33ee76bc26d58b39dc1a097e43a99dd438

Linux

affected

Version	Status	Constraints
`6.17`	affected	—
`0`	unaffected	< 6.17
`6.18.14`	unaffected	≤ 6.18.*
`6.19.4`	unaffected	≤ 6.19.*
`7.0`	unaffected	≤ *

Configuration 1 [-]

OR	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::

No data.

Vendor Product Confidence Versions

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`[a71475582ada92ba021852bf3c2b40ab3718549b,9a3ace9b010ffd8c422c97844ae152f7c53d6b18)`	affected	code_commit	—
`[a71475582ada92ba021852bf3c2b40ab3718549b,90f9090e3e744a8fe3bb6fa0e61f577347728b0b)`	affected	code_commit	—
`[a71475582ada92ba021852bf3c2b40ab3718549b,d5abcc33ee76bc26d58b39dc1a097e43a99dd438)`	affected	code_commit	—

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`6.17`	affected	generic	—
`[0,6.17)`	unaffected	generic	—
`[6.18.14,6.19.0)`	unaffected	semver	—
`[6.19.4,6.20.0)`	unaffected	semver	—
`[7.0,*]`	unaffected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Update the Linux kernel to the latest stable release that includes the commit introducing the __free(kfree) change
Reboot the system after updating to load the patched kernel and prevent the crash from occurring
Restrict local administrative access to limit the ability of local attackers to trigger kernel execution

Generated by OpenCVE AI on June 16, 2026 at 21:16 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00127.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://git.kernel.org/stable/c/90f9090e3e744a8fe3bb6fa0e61f577347728b0b
https://git.kernel.org/stable/c/9a3ace9b010ffd8c422c97844ae152f7c53d6b18
https://git.kernel.org/stable/c/d5abcc33ee76bc26d58b39dc1a097e43a99dd438
https://lore.kernel.org/linux-cve-announce/2026052733-CVE-2026-45959-5456@gregkh/T
https://nvd.nist.gov/vuln/detail/CVE-2026-45959
https://www.cve.org/CVERecord?id=CVE-2026-45959

History

Tue, 16 Jun 2026 06:30:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-476

Sat, 30 May 2026 11:00:00 +0000

Type	Values Removed	Values Added
Metrics	cvssV3_1 `{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}`	cvssV3_1 `{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}`

Thu, 28 May 2026 00:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-763
References		https://lore.kernel.org/linux-cve-announce/2026052733-CVE-2026-45959-5456@gregkh/T https://nvd.nist.gov/vuln/detail/CVE-2026-45959 https://www.cve.org/CVERecord?id=CVE-2026-45959
Metrics	threat_severity `None`	cvssV3_1 `{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}` threat_severity `Moderate`

Wed, 27 May 2026 14:15:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: crypto: ccp - Fix a crash due to incorrect cleanup usage of kfree Annotating a local pointer variable, which will be assigned with the kmalloc-family functions, with the `__cleanup(kfree)` attribute will make the address of the local variable, rather than the address returned by kmalloc, passed to kfree directly and lead to a crash due to invalid deallocation of stack address. According to other places in the repo, the correct usage should be `__free(kfree)`. The code coincidentally compiled because the parameter type `void ` of kfree is compatible with the desired type `struct { ... } *`.
Title		crypto: ccp - Fix a crash due to incorrect cleanup usage of kfree
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/90f9090e3e744a8fe3bb6fa0e61f577347728b0b https://git.kernel.org/stable/c/9a3ace9b010ffd8c422c97844ae152f7c53d6b18 https://git.kernel.org/stable/c/d5abcc33ee76bc26d58b39dc1a097e43a99dd438

Subscriptions

Linux Linux Kernel

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-05-27T12:18:16.039Z

Updated: 2026-05-30T10:46:17.267Z

Reserved: 2026-05-13T15:03:33.089Z

Link: CVE-2026-45959

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2026-05-27T14:17:12.543

Modified: 2026-06-16T02:32:16.750

Link: CVE-2026-45959

Redhat

Severity : Moderate

Publid Date: 2026-05-27T00:00:00Z

Links: CVE-2026-45959 - Bugzilla

OpenCVE Enrichment

Updated: 2026-06-16T21:30:16Z

Weaknesses

CWE-476
NULL Pointer Dereference
CWE-763
Release of Invalid Pointer or Reference

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object