The Linux kernel contained a flaw in the crypto cc_mac_digest function where a failing cc_map_hash_request_final call could leave allocated memory unmapped, creating a memory leak. This vulnerability is a textbook case of CWE-401 Memory Leak and can cause accumulated memory usage to grow until the system exhausts resources, leading to service disruption. Based on the description, it is inferred that an attacker would need to trigger cryptographic operations that exercise the failing path, which could be done locally or through a vulnerable kernel crypto API exposed to userspace.

All Linux kernel releases that implement the cc_mac_digest routine are susceptible until the patch that introduces cc_unmap_result is applied. The vulnerability is not tied to a specific kernel sub‑release, so any kernel without the fix—regardless of distribution—may be affected.

The EPSS score is not available, and the vulnerability is not in CISA’s KEV catalog, so publicly known exploitation is not documented. Nonetheless, the memory leak can be abused by a local attacker who can trigger the problematic function, or by a remote attacker if the kernel exposes a crypto service that can be manipulated. Without a CVSS score, severity cannot be formally rated, but the possibility of denial of service and the absence of mitigation in the unpatched kernel make the risk moderate to high in environments with heavy cryptographic workloads.