Description
In the Linux kernel, the following vulnerability has been resolved:

crypto: hisilicon/sec2 - prevent req used-after-free for sec

During packet transmission, if the system is under heavy load,
the hardware might complete processing the packet and free the
request memory (req) before the transmission function finishes.
If the software subsequently accesses this req, a use-after-free
error will occur. The qp_ctx memory exists throughout the packet
sending process, so replace the req with the qp_ctx.
Published: 2026-06-24
Score: n/a
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Linux kernel’s hisilicon/sec2 crypto driver was found to free a request‐level memory block (req) before the packet transmission routine finished using it, creating a use‑after‑free condition. This flaw can lead to memory corruption, process crashes, or, if an attacker can trigger the scenario reliably, arbitrary code execution. The defect maps to CWE‑416, a classic use‑after‑free weakness.

Affected Systems

The vulnerability affects the Linux kernel, specifically the crypto driver for Hisilicon sec2 devices. No specific kernel versions are listed, so all kernel releases that have not incorporated the fix may be vulnerable.

Risk and Exploitability

With no CVSS score or EPSS data available, the severity is assessed as moderate to high, as the flaw could cause denial of service or compromise in high‑traffic environments. The fix was not listed in CISA’s KEV catalog, indicating no current exploitation reports. The most likely attack vector is through network traffic to the system: an adversary could generate heavy packet loads to trigger the race condition, though successful exploitation would require precise timing and is therefore considered less straightforward than a typical remote code execution vulnerability.

Generated by OpenCVE AI on June 24, 2026 at 19:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest Linux kernel update that includes the fix for the Hisilicon sec2 crypto driver.
  • If an immediate kernel update is not feasible, disable or unload the hisilicon/sec2 crypto module during periods of heavy network load to prevent the use‑after‑free scenario.
  • Implement network traffic shaping or rate limiting on interfaces that use the Hisilicon sec2 hardware to reduce the likelihood of overwhelming the driver under load.

Generated by OpenCVE AI on June 24, 2026 at 19:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 24 Jun 2026 19:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-416

Wed, 24 Jun 2026 17:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: crypto: hisilicon/sec2 - prevent req used-after-free for sec During packet transmission, if the system is under heavy load, the hardware might complete processing the packet and free the request memory (req) before the transmission function finishes. If the software subsequently accesses this req, a use-after-free error will occur. The qp_ctx memory exists throughout the packet sending process, so replace the req with the qp_ctx.
Title crypto: hisilicon/sec2 - prevent req used-after-free for sec
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-06-24T16:30:00.876Z

Reserved: 2026-06-09T07:44:35.381Z

Link: CVE-2026-53055

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-24T19:30:08Z

Weaknesses