HIGH
ccp SEV-TIO UAF
CVE-2026-23344
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
KernelScan AI7.8HIGH
01Description
In the Linux kernel, the following vulnerability has been resolved: crypto: ccp - Fix use-after-free on error path In the error path of sev_tsm_init_locked(), the code dereferences 't' after it has been freed with kfree(). The pr_err() statement attempts to access t->tio_en and t->tio_init_done after the memory has been released. Move the pr_err() call before kfree(t) to access the fields while the memory is still valid. This issue reported by Smatch static analyser
02KernelScan AI Analysis
Risk summary
A use-after-free vulnerability in the AMD CCP driver could allow a local attacker with sufficient privileges to cause system crashes or potentially execute arbitrary code. The vulnerability occurs during error handling in SEV-TIO initialization, affecting systems with AMD SEV hardware that support Trusted I/O features.
Vulnerability analysis
Root Cause: In the error path of sev_tsm_init_locked(), the code calls kfree(t) to free the memory pointed to by 't', but then immediately attempts to dereference t->tio_en and t->tio_init_done in a pr_err() statement. This creates a use-after-free condition where freed memory is being accessed.
Attack Surface: This vulnerability is in the AMD CCP (Cryptographic Coprocessor) driver's SEV-TIO (Secure Encrypted Virtualization - Trusted I/O) initialization code. The affected code path is triggered during error handling in the TSM (Trusted Security Module) initialization. Access requires local privileges and the presence of AMD SEV-capable hardware with TIO support.
Fix Mechanism: The patch reorders the operations by moving the pr_err() call before the kfree(t) call. This ensures that the fields t->tio_en and t->tio_init_done are accessed while the memory is still valid, eliminating the use-after-free vulnerability.
03Fix Versions
| Branch | Fixed in | Patch commit |
|---|---|---|
| 6.19 | 6.19.7 | 79a26fe3175b |
| mainline | 7.0 | 889b0e2721e7 |