HIGH
crypto af_alg Page Overflow
CVE-2026-43078
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
KernelScan AI6.8MEDIUM
01Description
In the Linux kernel, the following vulnerability has been resolved: crypto: af_alg - Fix page reassignment overflow in af_alg_pull_tsgl When page reassignment was added to af_alg_pull_tsgl the original loop wasn't updated so it may try to reassign one more page than necessary. Add the check to the reassignment so that this does not happen. Also update the comment which still refers to the obsolete offset argument.
02KernelScan AI Analysis
Risk summary
Local users can trigger an out-of-bounds page reassignment in the AF_ALG crypto socket handler by supplying scatterlist entries with zero-length pages. This causes memory corruption in kernel heap memory and can lead to system crashes. The vulnerability is reachable by unprivileged users as AF_ALG sockets do not require elevated capabilities.
Vulnerability analysis
The vulnerability exists in af_alg_pull_tsgl() in crypto/af_alg.c. When page reassignment logic was added, the loop condition was not updated to account for zero-length entries (plen == 0). As a result, the destination scatterlist index j is incremented and sg_set_page() is called on dst+j even when no data is present, causing an out-of-bounds write past the allocated destination scatterlist. The fix adds a plen check so that reassignment only occurs when there is actual data to assign. AF_ALG sockets are accessible to unprivileged users without requiring CAP_NET_ADMIN or other capabilities, making this locally exploitable by any user with access to the socket interface.
03Fix Versions
| Branch | Fixed in | Patch commit |
|---|---|---|
| 5.10 | 5.10.254 | fa48d3ea9cdb |
| 5.15 | 5.15.204 | 2b781d1d4f93 |
| 6.1 | 6.1.170 | f7826bc0b399 |
| 6.12 | 6.12.85 | c8369a6d62f5 |
| 6.18 | 6.18.24 | dea5fcf085f9 |
| 6.19 | 6.19.14 | 9532501e0f1b |
| 6.6 | 6.6.137 | 710a4ce5d7af |
| mainline | 7.0 | 31d00156e50e |