Description
In the Linux kernel, the following vulnerability has been resolved:

crypto: ccp - copy IV using skcipher ivsize

AF_ALG rfc3686-ctr-aes-ccp requests pass an 8-byte IV to the driver.

ccp_aes_complete() restores AES_BLOCK_SIZE bytes into the caller's IV
buffer while RFC3686 skciphers expose an 8-byte IV, so the restore
overruns the provided buffer.

Use crypto_skcipher_ivsize() to copy only the algorithm's IV length.
Published: 2026-06-24
Score: 7.8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Based on the description, it is inferred that the flaw arises when the AF_ALG "rfc3686-ctr-aes-ccp" path copies an 8‑byte IV into a caller buffer and then restores AES_BLOCK_SIZE (16) bytes during completion, overwriting memory beyond the intended region. This kernel‑space buffer overrun could corrupt data integrity or cause a system crash, representing a classic unchecked copy operation.

Affected Systems

All Linux kernel versions that include the vulnerable ccp AES implementation, with no specific version mitigated yet. The affected product is the Linux kernel cryptographic core, as indicated by the generic Linux CPE.

Risk and Exploitability

Based on the description, it is inferred that the vulnerability can be triggered by any code that submits AF_ALG requests utilizing the RFC3686 cipher, potentially allowing an attacker to cause memory corruption. A CVSS score of 7.8 is provided, and EPSS is < 1%, so the quantitative risk cannot be measured. However, the flaw is a kernel‑space buffer overrun that could be exploited if an attacker can influence the IV buffer; currently, no exploits are publicly known, and the vulnerability is not listed in the CISA KEV catalog, indicating no confirmed widespread exploitation at this time.

Generated by OpenCVE AI on June 28, 2026 at 14:35 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Linux kernel to a version that incorporates the patch referenced in the provided commit logs.
  • Verify that any custom or third‑party kernel modules use crypto_skcipher_ivsize() to copy IVs rather than hard‑coded sizes, and replace any that do not.
  • If the affected cipher is unnecessary in your environment, disable AF_ALG "rfc3686-ctr-aes-ccp" or remove the corresponding crypto module until a patch is applied.

Generated by OpenCVE AI on June 28, 2026 at 14:35 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DLA Debian DLA DLA-4664-1 linux security update
Debian DLA Debian DLA DLA-4665-1 linux security update
Debian DLA Debian DLA DLA-4671-1 linux-6.1 security update
History

Sun, 28 Jun 2026 12:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-120

Sun, 28 Jun 2026 08:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}


Fri, 26 Jun 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-805
References
Metrics threat_severity

None

cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

threat_severity

Important


Wed, 24 Jun 2026 19:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-120

Wed, 24 Jun 2026 17:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: crypto: ccp - copy IV using skcipher ivsize AF_ALG rfc3686-ctr-aes-ccp requests pass an 8-byte IV to the driver. ccp_aes_complete() restores AES_BLOCK_SIZE bytes into the caller's IV buffer while RFC3686 skciphers expose an 8-byte IV, so the restore overruns the provided buffer. Use crypto_skcipher_ivsize() to copy only the algorithm's IV length.
Title crypto: ccp - copy IV using skcipher ivsize
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-07-15T02:47:38.355Z

Reserved: 2026-06-09T07:44:35.378Z

Link: CVE-2026-53016

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

Severity : Important

Publid Date: 2026-06-24T00:00:00Z

Links: CVE-2026-53016 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-28T14:45:17Z

Weaknesses
  • CWE-805

    Buffer Access with Incorrect Length Value