CVE-2026-53038 - Vulnerability Details

Description

In the Linux kernel, the following vulnerability has been resolved:

ima_fs: Correctly create securityfs files for unsupported hash algos

ima_tpm_chip->allocated_banks[i].crypto_id is initialized to
HASH_ALGO__LAST if the TPM algorithm is not supported. However there
are places relying on the algorithm to be valid because it is accessed
by hash_algo_name[].

On 6.12.40 I observe the following read out-of-bounds in hash_algo_name:
==================================================================
BUG: KASAN: global-out-of-bounds in create_securityfs_measurement_lists+0x396/0x440
Read of size 8 at addr ffffffff83e18138 by task swapper/0/1

CPU: 4 UID: 0 PID: 1 Comm: swapper/0 Not tainted 6.12.40 #3
Call Trace:
<TASK>
dump_stack_lvl+0x61/0x90
print_report+0xc4/0x580
? kasan_addr_to_slab+0x26/0x80
? create_securityfs_measurement_lists+0x396/0x440
kasan_report+0xc2/0x100
? create_securityfs_measurement_lists+0x396/0x440
create_securityfs_measurement_lists+0x396/0x440
ima_fs_init+0xa3/0x300
ima_init+0x7d/0xd0
init_ima+0x28/0x100
do_one_initcall+0xa6/0x3e0
kernel_init_freeable+0x455/0x740
kernel_init+0x24/0x1d0
ret_from_fork+0x38/0x80
ret_from_fork_asm+0x11/0x20
</TASK>

The buggy address belongs to the variable:
hash_algo_name+0xb8/0x420

Memory state around the buggy address:
ffffffff83e18000: 00 01 f9 f9 f9 f9 f9 f9 00 01 f9 f9 f9 f9 f9 f9
ffffffff83e18080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffffffff83e18100: 00 00 00 00 00 00 00 f9 f9 f9 f9 f9 00 05 f9 f9
^
ffffffff83e18180: f9 f9 f9 f9 00 00 00 00 00 00 00 04 f9 f9 f9 f9
ffffffff83e18200: 00 00 00 00 00 00 00 00 04 f9 f9 f9 f9 f9 f9 f9
==================================================================

Seems like the TPM chip supports sha3_256, which isn't yet in
tpm_algorithms:
tpm tpm0: TPM with unsupported bank algorithm 0x0027

That's TPM_ALG_SHA3_256 == 0x0027 from "Trusted Platform Module 2.0
Library Part 2: Structures", page 51 [1].
See also the related U-Boot algorithms update [2].

Thus solve the problem by creating a file name with "_tpm_alg_<ID>"
postfix if the crypto algorithm isn't initialized.

This is how it looks on the test machine (patch ported to v6.12 release):
# ls -1 /sys/kernel/security/ima/
ascii_runtime_measurements
ascii_runtime_measurements_tpm_alg_27
ascii_runtime_measurements_sha1
ascii_runtime_measurements_sha256
binary_runtime_measurements
binary_runtime_measurements_tpm_alg_27
binary_runtime_measurements_sha1
binary_runtime_measurements_sha256
policy
runtime_measurements_count
violations

[1]: https://trustedcomputinggroup.org/wp-content/uploads/Trusted-Platform-Module-2.0-Library-Part-2-Version-184_pub.pdf
[2]: https://lists.denx.de/pipermail/u-boot/2024-July/558835.html

Published: 2026-06-24

Score: n/a

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability arises when the IMA module creates securityfs files for hash algorithms that are not supported by the TPM. The crypto_id is initialized to an out‑of‑range value when the TPM advertises an unsupported algorithm, and subsequent code accesses hash_algo_name[] using this invalid index, resulting in a global out‑of‑bounds read. This can trigger a KASAN fault during boot, causing a kernel crash and a denial of service.

Affected Systems

Linux kernel implementations that have not incorporated the IMA securityfs patch. In particular, any kernel version prior to the fix merged into the 6.12 series—including 6.12.40 and earlier—can exhibit the out‑of‑bounds read if an unsupported TPM hash algorithm is present. Systems running unpatched 6.12 kernels or earlier versions will be affected.

Risk and Exploitability

The impact is limited to a local kernel crash; it does not provide remote code execution or privilege escalation. No CVSS or EPSS score is publicly published, and the vulnerability is not listed in CISA’s KEV catalog. Exploitation requires local or privileged access to the TPM interface, making it unlikely unless an attacker can influence the TPM algorithm list. The potential impact on critical systems is high if the kernel is forced to reboot.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`9fa8e76250082a45d0d3dad525419ab98bd01658`	affected	< 081b557cb56e1cfa8d1619b2601b01c53e3f418c
`9fa8e76250082a45d0d3dad525419ab98bd01658`	affected	< b6766b171a5c4c33b26ff6fec530cb798db1f75e
`9fa8e76250082a45d0d3dad525419ab98bd01658`	affected	< 88d4e89a39f0de07798ca3fd93bd1a9ea212a82e
`9fa8e76250082a45d0d3dad525419ab98bd01658`	affected	< d7bd8cf0b348d3edae7bee33e74a32b21668b181

Linux

affected

Version	Status	Constraints
`6.10`	affected	—
`0`	unaffected	< 6.10
`6.12.91`	unaffected	≤ 6.12.*
`6.18.33`	unaffected	≤ 6.18.*
`7.0.10`	unaffected	≤ 7.0.*
`7.1`	unaffected	≤ *

No data.

No data available yet.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade the system to a kernel version that contains the IMA securityfs patch, such as any 6.12.40 release or later that includes the change.
If a kernel upgrade is not possible, restrict IMA TPM support for banks that use unsupported hash algorithms by disabling the IMA TPM module or configuring it to ignore unsupported banks.
Ensure the TPM firmware and drivers only expose hash algorithms that the kernel recognizes, or update the TPM firmware to remove unsupported algorithms.

Generated by OpenCVE AI on June 24, 2026 at 19:30 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://git.kernel.org/stable/c/081b557cb56e1cfa8d1619b2601b01c53e3f418c
https://git.kernel.org/stable/c/88d4e89a39f0de07798ca3fd93bd1a9ea212a82e
https://git.kernel.org/stable/c/b6766b171a5c4c33b26ff6fec530cb798db1f75e
https://git.kernel.org/stable/c/d7bd8cf0b348d3edae7bee33e74a32b21668b181

History

Wed, 24 Jun 2026 20:00:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-125

Wed, 24 Jun 2026 17:15:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: ima_fs: Correctly create securityfs files for unsupported hash algos ima_tpm_chip->allocated_banks[i].crypto_id is initialized to HASH_ALGO__LAST if the TPM algorithm is not supported. However there are places relying on the algorithm to be valid because it is accessed by hash_algo_name[]. On 6.12.40 I observe the following read out-of-bounds in hash_algo_name: ================================================================== BUG: KASAN: global-out-of-bounds in create_securityfs_measurement_lists+0x396/0x440 Read of size 8 at addr ffffffff83e18138 by task swapper/0/1 CPU: 4 UID: 0 PID: 1 Comm: swapper/0 Not tainted 6.12.40 #3 Call Trace: <TASK> dump_stack_lvl+0x61/0x90 print_report+0xc4/0x580 ? kasan_addr_to_slab+0x26/0x80 ? create_securityfs_measurement_lists+0x396/0x440 kasan_report+0xc2/0x100 ? create_securityfs_measurement_lists+0x396/0x440 create_securityfs_measurement_lists+0x396/0x440 ima_fs_init+0xa3/0x300 ima_init+0x7d/0xd0 init_ima+0x28/0x100 do_one_initcall+0xa6/0x3e0 kernel_init_freeable+0x455/0x740 kernel_init+0x24/0x1d0 ret_from_fork+0x38/0x80 ret_from_fork_asm+0x11/0x20 </TASK> The buggy address belongs to the variable: hash_algo_name+0xb8/0x420 Memory state around the buggy address: ffffffff83e18000: 00 01 f9 f9 f9 f9 f9 f9 00 01 f9 f9 f9 f9 f9 f9 ffffffff83e18080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 >ffffffff83e18100: 00 00 00 00 00 00 00 f9 f9 f9 f9 f9 00 05 f9 f9 ^ ffffffff83e18180: f9 f9 f9 f9 00 00 00 00 00 00 00 04 f9 f9 f9 f9 ffffffff83e18200: 00 00 00 00 00 00 00 00 04 f9 f9 f9 f9 f9 f9 f9 ================================================================== Seems like the TPM chip supports sha3_256, which isn't yet in tpm_algorithms: tpm tpm0: TPM with unsupported bank algorithm 0x0027 That's TPM_ALG_SHA3_256 == 0x0027 from "Trusted Platform Module 2.0 Library Part 2: Structures", page 51 [1]. See also the related U-Boot algorithms update [2]. Thus solve the problem by creating a file name with "_tpm_alg_<ID>" postfix if the crypto algorithm isn't initialized. This is how it looks on the test machine (patch ported to v6.12 release): # ls -1 /sys/kernel/security/ima/ ascii_runtime_measurements ascii_runtime_measurements_tpm_alg_27 ascii_runtime_measurements_sha1 ascii_runtime_measurements_sha256 binary_runtime_measurements binary_runtime_measurements_tpm_alg_27 binary_runtime_measurements_sha1 binary_runtime_measurements_sha256 policy runtime_measurements_count violations [1]: https://trustedcomputinggroup.org/wp-content/uploads/Trusted-Platform-Module-2.0-Library-Part-2-Version-184_pub.pdf [2]: https://lists.denx.de/pipermail/u-boot/2024-July/558835.html
Title		ima_fs: Correctly create securityfs files for unsupported hash algos
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/081b557cb56e1cfa8d1619b2601b01c53e3f418c https://git.kernel.org/stable/c/88d4e89a39f0de07798ca3fd93bd1a9ea212a82e https://git.kernel.org/stable/c/b6766b171a5c4c33b26ff6fec530cb798db1f75e https://git.kernel.org/stable/c/d7bd8cf0b348d3edae7bee33e74a32b21668b181

Subscriptions

Linux Linux Kernel

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-06-24T16:29:45.086Z

Updated: 2026-06-24T16:29:45.086Z

Reserved: 2026-06-09T07:44:35.380Z

Link: CVE-2026-53038

Vulnrichment

No data.

NVD

No data.

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-06-24T19:45:05Z

Weaknesses

CWE-125
Out-of-bounds Read

Impact

Affected Systems

Risk and Exploitability

Tracking

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object