CVE-2026-46081 - Vulnerability Details

Description

In the Linux kernel, the following vulnerability has been resolved:

crypto: acomp - fix wrong pointer stored by acomp_save_req()

acomp_save_req() stores &req->chain in req->base.data. When
acomp_reqchain_done() is invoked on asynchronous completion, it receives
&req->chain as the data argument but casts it directly to struct
acomp_req. Since data points to the chain member, all subsequent field
accesses are at a wrong offset, resulting in memory corruption.

The issue occurs when an asynchronous hardware implementation, such as
the QAT driver, completes a request that uses the DMA virtual address
interface (e.g. acomp_request_set_src_dma()). This combination causes
crypto_acomp_compress() to enter the acomp_do_req_chain() path, which
sets acomp_reqchain_done() as the completion callback via
acomp_save_req().

With KASAN enabled, this manifests as a general protection fault in
acomp_reqchain_done():

general protection fault, probably for non-canonical address 0xe000040000000000
KASAN: probably user-memory-access in range [0x0000400000000000-0x0000400000000007]
RIP: 0010:acomp_reqchain_done+0x15b/0x4e0
Call Trace:
<IRQ>
qat_comp_alg_callback+0x5d/0xa0 [intel_qat]
adf_ring_response_handler+0x376/0x8b0 [intel_qat]
adf_response_handler+0x60/0x170 [intel_qat]
tasklet_action_common+0x223/0x820
handle_softirqs+0x1ab/0x640
</IRQ>

Fix this by storing the request itself in req->base.data instead of
&req->chain, so that acomp_reqchain_done() receives the correct pointer.
Simplify acomp_restore_req() accordingly to access req->chain directly.

Published: 2026-05-27

Score: n/a

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

The flaw occurs when acomp_save_req stores the address of a request chain element rather than the request itself, causing the completion callback acomp_reqchain_done to interpret the data pointer incorrectly. The resulting misaligned field accesses corrupt kernel memory and trigger a general protection fault. An attacker with sufficient privilege to initiate the crypto_acomp_compress path, especially via an asynchronous hardware interface such as Intel QAT, could exploit this to write arbitrary data to kernel memory, potentially leading to privilege escalation or denial of service.

Affected Systems

The vulnerability affects the Linux kernel across all versions that implement the acomp crypto compression subsystem and interact with hardware drivers that use the DMA virtual address interface, such as the Intel QAT driver. Any system running a kernel that has not applied the described patch is potentially impacted.

Risk and Exploitability

The missing EPSS score and lack of KEV listing do not diminish the severity implied by a kernel memory corruption issuance. CVSS metrics are not provided, but the nature of the fault suggests a high impact and a local exploit vector requiring the attacker to trigger a kernel crypto compression request. Given the use of specialized hardware drivers, exploitation may be limited to systems with those components enabled, yet the potential for arbitrary code execution in kernel context warrants high risk.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`64929fe8c0a43508eee952cf57903a61c52601e7`	affected	< 343a5bf68a8ff9affcf2b70677ea4cf40c195ee4
`64929fe8c0a43508eee952cf57903a61c52601e7`	affected	< 1a2785e5985627f2265ba7775949601a29ba0d1e
`64929fe8c0a43508eee952cf57903a61c52601e7`	affected	< d7e20b9bd6c990773cf0c09e2642250b8a70263d

Linux

affected

Version	Status	Constraints
`6.16`	affected	—
`0`	unaffected	< 6.16
`6.18.27`	unaffected	≤ 6.18.*
`7.0.4`	unaffected	≤ 7.0.*
`7.1-rc1`	unaffected	≤ *

No data.

No data available yet.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Update the Linux kernel to a version that applies the acomp_save_req patch, ensuring req->base.data stores the correct request pointer.
If the target system does not require the Intel QAT crypto driver, disable or unload that driver to eliminate the completion path that triggers the fault.
Restrict usage of the acomp_request_set_src_dma and crypto_acomp_compress interfaces to trusted processes, or enforce least privilege policies to reduce the attack surface.

Generated by OpenCVE AI on May 27, 2026 at 18:00 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://git.kernel.org/stable/c/1a2785e5985627f2265ba7775949601a29ba0d1e
https://git.kernel.org/stable/c/343a5bf68a8ff9affcf2b70677ea4cf40c195ee4
https://git.kernel.org/stable/c/d7e20b9bd6c990773cf0c09e2642250b8a70263d

History

Wed, 27 May 2026 18:30:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-120 CWE-125

Wed, 27 May 2026 14:15:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: crypto: acomp - fix wrong pointer stored by acomp_save_req() acomp_save_req() stores &req->chain in req->base.data. When acomp_reqchain_done() is invoked on asynchronous completion, it receives &req->chain as the data argument but casts it directly to struct acomp_req. Since data points to the chain member, all subsequent field accesses are at a wrong offset, resulting in memory corruption. The issue occurs when an asynchronous hardware implementation, such as the QAT driver, completes a request that uses the DMA virtual address interface (e.g. acomp_request_set_src_dma()). This combination causes crypto_acomp_compress() to enter the acomp_do_req_chain() path, which sets acomp_reqchain_done() as the completion callback via acomp_save_req(). With KASAN enabled, this manifests as a general protection fault in acomp_reqchain_done(): general protection fault, probably for non-canonical address 0xe000040000000000 KASAN: probably user-memory-access in range [0x0000400000000000-0x0000400000000007] RIP: 0010:acomp_reqchain_done+0x15b/0x4e0 Call Trace: <IRQ> qat_comp_alg_callback+0x5d/0xa0 [intel_qat] adf_ring_response_handler+0x376/0x8b0 [intel_qat] adf_response_handler+0x60/0x170 [intel_qat] tasklet_action_common+0x223/0x820 handle_softirqs+0x1ab/0x640 </IRQ> Fix this by storing the request itself in req->base.data instead of &req->chain, so that acomp_reqchain_done() receives the correct pointer. Simplify acomp_restore_req() accordingly to access req->chain directly.
Title		crypto: acomp - fix wrong pointer stored by acomp_save_req()
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/1a2785e5985627f2265ba7775949601a29ba0d1e https://git.kernel.org/stable/c/343a5bf68a8ff9affcf2b70677ea4cf40c195ee4 https://git.kernel.org/stable/c/d7e20b9bd6c990773cf0c09e2642250b8a70263d

Subscriptions

Linux Linux Kernel

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-05-27T12:58:19.498Z

Updated: 2026-05-27T12:58:19.498Z

Reserved: 2026-05-13T15:03:33.096Z

Link: CVE-2026-46081

Vulnrichment

No data.

NVD

Status : Awaiting Analysis

Published: 2026-05-27T14:17:29.510

Modified: 2026-05-27T14:48:03.013

Link: CVE-2026-46081

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-27T18:15:21Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object