HIGH
crypto OMAP Scatterlist Overflow
CVE-2026-23222
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
KernelScan AI7.8HIGH
01Description
In the Linux kernel, the following vulnerability has been resolved: crypto: omap - Allocate OMAP_CRYPTO_FORCE_COPY scatterlists correctly The existing allocation of scatterlists in omap_crypto_copy_sg_lists() was allocating an array of scatterlist pointers, not scatterlist objects, resulting in a 4x too small allocation. Use sizeof(*new_sg) to get the correct object size.
02KernelScan AI Analysis
Risk summary
Local attackers with low privileges can trigger heap buffer overflows in the OMAP crypto driver by using crypto operations that force scatterlist copying. This can lead to memory corruption, privilege escalation, or system crashes on devices with OMAP hardware crypto acceleration.
Vulnerability analysis
The vulnerability stems from incorrect size calculation in kmalloc_array() where sizeof(*sg) was used instead of sizeof(*new_sg), allocating space for scatterlist pointers rather than scatterlist objects - resulting in a 4x too small allocation. When the crypto subsystem writes scatterlist data beyond the allocated buffer, it causes heap overflow. The fix corrects the sizeof calculation to allocate proper space for scatterlist objects. This is locally exploitable through crypto API calls that trigger the OMAP_CRYPTO_FORCE_COPY path, requiring only basic user privileges to access crypto interfaces.
03Fix Versions
| Branch | Fixed in | Patch commit |
|---|---|---|
| 5.10 | 5.10.251 | 953c81941b0a |
| 5.15 | 5.15.201 | 31aff96a41ae |
| 6.1 | 6.1.164 | 79f95b51d427 |
| 6.12 | 6.12.72 | c184341920ed |
| 6.18 | 6.18.11 | 2ed27b5a1174 |
| 6.19 | 6.19.1 | d1836c628cb7 |
| 6.6 | 6.6.125 | 6edf8df4bd29 |
| mainline | 7.0 | 1562b1fb7e17 |