CRITICAL
crypto pcrypt MAY_BACKLOG Race
CVE-2026-43493
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
KernelScan AI6.5MEDIUM
01Description
In the Linux kernel, the following vulnerability has been resolved: crypto: pcrypt - Fix handling of MAY_BACKLOG requests MAY_BACKLOG requests can return EBUSY. Handle them by checking for that value and filtering out EINPROGRESS notifications.
02KernelScan AI Analysis
Risk summary
Systems using parallel cryptographic operations may experience kernel crashes, memory corruption, or information leaks when crypto requests return EBUSY under load. This affects systems performing encryption/decryption operations via the AF_ALG interface or kernel subsystems using pcrypt, particularly when untrusted users or container workloads can submit crypto requests.
Vulnerability analysis
The pcrypt subsystem incorrectly handles MAY_BACKLOG crypto requests that return -EBUSY, treating them as completion events and calling padata_do_serial() prematurely. This causes the completion callback to be invoked twice for the same request: once immediately due to the erroneous -EBUSY handling, and again when the asynchronous operation actually completes. The spurious invocation can free the request or associated resources, leading to a use-after-free when the genuine completion later accesses the freed request context. The fix adds proper handling for -EBUSY returns by treating them the same as -EINPROGRESS (async operation in flight) and filters out spurious -EINPROGRESS notifications in the completion callback to prevent double-completion scenarios.
03Fix Versions
| Branch | Fixed in | Patch commit |
|---|---|---|
| 5.10 | 5.10.258 | ae7e95638d95 |
| 5.15 | 5.15.209 | 1d7f07df450b |
| 6.1 | 6.1.175 | 76641449b289 |
| 6.12 | 6.12.86 | eb34e243df57 |
| 6.18 | 6.18.27 | 77d55bc8675e |
| 6.6 | 6.6.140 | 9f1cbca178c0 |
| 7.0 | 7.0.4 | 46271895ddfb |
| mainline | 7.1-rc1 | 915b692e6cb7 |