Description
In the Linux kernel, the following vulnerability has been resolved:

crypto: acomp - fix wrong pointer stored by acomp_save_req()

acomp_save_req() stores &req->chain in req->base.data. When
acomp_reqchain_done() is invoked on asynchronous completion, it receives
&req->chain as the data argument but casts it directly to struct
acomp_req. Since data points to the chain member, all subsequent field
accesses are at a wrong offset, resulting in memory corruption.

The issue occurs when an asynchronous hardware implementation, such as
the QAT driver, completes a request that uses the DMA virtual address
interface (e.g. acomp_request_set_src_dma()). This combination causes
crypto_acomp_compress() to enter the acomp_do_req_chain() path, which
sets acomp_reqchain_done() as the completion callback via
acomp_save_req().

With KASAN enabled, this manifests as a general protection fault in
acomp_reqchain_done():

general protection fault, probably for non-canonical address 0xe000040000000000
KASAN: probably user-memory-access in range [0x0000400000000000-0x0000400000000007]
RIP: 0010:acomp_reqchain_done+0x15b/0x4e0
Call Trace:
<IRQ>
qat_comp_alg_callback+0x5d/0xa0 [intel_qat]
adf_ring_response_handler+0x376/0x8b0 [intel_qat]
adf_response_handler+0x60/0x170 [intel_qat]
tasklet_action_common+0x223/0x820
handle_softirqs+0x1ab/0x640
</IRQ>

Fix this by storing the request itself in req->base.data instead of
&req->chain, so that acomp_reqchain_done() receives the correct pointer.
Simplify acomp_restore_req() accordingly to access req->chain directly.
Published: 2026-05-27
Score: 7.8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The flaw occurs when acomp_save_req mistakenly stores the address of a request chain element instead of the request itself in req->base.data. When the asynchronous completion handler acomp_reqchain_done is invoked, it interprets this data pointer as a struct acomp_req, causing all subsequent field accesses to use incorrect offsets. This results in kernel memory corruption and manifests as a general protection fault. It is inferred that the corrupted kernel memory could be overwritten, potentially allowing a local attacker who can trigger the crypto_acomp_compress path to execute arbitrary code or crash the system.

Affected Systems

The vulnerability affects all Linux kernel releases that include the acomp crypto compression subsystem and use the DMA virtual address interface with hardware accelerators such as the Intel QAT driver. Any system running an unpatched kernel that has such hardware support enabled is at risk.

Risk and Exploitability

The EPSS score of 0.00017 indicates a very low probability of exploitation and the vulnerability is not listed in CISA KEV, and the CVSS severity is 7.8. The nature of the fault indicates a high impact: kernel memory corruption, which can lead to privilege escalation or denial of service. The likely attack vector is a local process capable of invoking the crypto_acomp_compress path, for example through a privileged application or service that interacts with the QAT driver. Because the flaw is within the kernel's crypto subsystem, exploitation would require the attacker to have sufficient privileges to initiate a crypto request; therefore, the risk is high for systems where such privileged access is possible.

Generated by OpenCVE AI on May 30, 2026 at 13:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update to a kernel version that includes the acomp_save_req fix, ensuring req->base.data stores the correct request pointer.
  • If the system does not require the Intel QAT crypto driver, disable or unload that driver to remove the completion path that triggers the fault.
  • Restrict usage of acomp_request_set_src_dma and crypto_acomp_compress interfaces to trusted, privileged processes to reduce the attack surface.

Generated by OpenCVE AI on May 30, 2026 at 13:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 30 May 2026 11:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Thu, 28 May 2026 03:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-120
CWE-125

Thu, 28 May 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-843
References

Wed, 27 May 2026 18:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-120
CWE-125

Wed, 27 May 2026 14:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: crypto: acomp - fix wrong pointer stored by acomp_save_req() acomp_save_req() stores &req->chain in req->base.data. When acomp_reqchain_done() is invoked on asynchronous completion, it receives &req->chain as the data argument but casts it directly to struct acomp_req. Since data points to the chain member, all subsequent field accesses are at a wrong offset, resulting in memory corruption. The issue occurs when an asynchronous hardware implementation, such as the QAT driver, completes a request that uses the DMA virtual address interface (e.g. acomp_request_set_src_dma()). This combination causes crypto_acomp_compress() to enter the acomp_do_req_chain() path, which sets acomp_reqchain_done() as the completion callback via acomp_save_req(). With KASAN enabled, this manifests as a general protection fault in acomp_reqchain_done(): general protection fault, probably for non-canonical address 0xe000040000000000 KASAN: probably user-memory-access in range [0x0000400000000000-0x0000400000000007] RIP: 0010:acomp_reqchain_done+0x15b/0x4e0 Call Trace: <IRQ> qat_comp_alg_callback+0x5d/0xa0 [intel_qat] adf_ring_response_handler+0x376/0x8b0 [intel_qat] adf_response_handler+0x60/0x170 [intel_qat] tasklet_action_common+0x223/0x820 handle_softirqs+0x1ab/0x640 </IRQ> Fix this by storing the request itself in req->base.data instead of &req->chain, so that acomp_reqchain_done() receives the correct pointer. Simplify acomp_restore_req() accordingly to access req->chain directly.
Title crypto: acomp - fix wrong pointer stored by acomp_save_req()
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-06-14T17:52:55.892Z

Reserved: 2026-05-13T15:03:33.096Z

Link: CVE-2026-46081

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-27T14:17:29.510

Modified: 2026-06-17T10:53:02.230

Link: CVE-2026-46081

cve-icon Redhat

Severity :

Publid Date: 2026-05-27T00:00:00Z

Links: CVE-2026-46081 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-30T13:30:24Z

Weaknesses
  • CWE-843

    Access of Resource Using Incompatible Type ('Type Confusion')