KernelScan.io

HIGH

crypto AuthencESN Corruption

CVE-2026-43033

CVSS 7.8 / 10.0 NVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

KernelScan AI7.3HIGH

01Description

In the Linux kernel, the following vulnerability has been resolved: crypto: authencesn - Do not place hiseq at end of dst for out-of-place decryption When decrypting data that is not in-place (src != dst), there is no need to save the high-order sequence bits in dst as it could simply be re-copied from the source. However, the data to be hashed need to be rearranged accordingly. Thanks,

02KernelScan AI Analysis

Engine v0.2.0

Risk summary

An out-of-bounds read and write vulnerability in the kernel's authencesn crypto implementation affects out-of-place AEAD decryption operations. Unprivileged local users can trigger the bug via AF_ALG sockets, causing memory corruption, information disclosure, and potential kernel panic. Systems using IPsec VPNs with Extended Sequence Numbers (ESN) may also be affected when processing inbound encrypted traffic.

Affectedcrypto/authencesn.c (crypto subsystem)

Vulnerability analysis

The vulnerability stems from incorrect handling of high-order sequence number bits during out-of-place decryption (src != dst) in the authencesn AEAD implementation. The original code performed scatterlist operations on the destination buffer assuming an in-place layout, resulting in a 4-byte out-of-bounds read from beyond the destination buffer and a 4-byte out-of-bounds write past the end of the destination buffer. This occurs before the authentication check, meaning the corruption is triggered regardless of whether the ciphertext is valid. The fix separates in-place and out-of-place decryption logic, ensuring sequence number bits are correctly rearranged without accessing memory outside the destination buffer bounds.

03Fix Versions

BranchFixed inPatch commit
5.105.10.2548c62f6185765
5.155.15.204d589abd8b019
6.16.1.1705466e7d0cd9e
6.126.12.8589fe118b6470
6.186.18.22153d5520c3f9
6.196.19.12cded4002d221
6.66.6.137d0c4ff681238
mainline7.0e02494114ebf