HIGH
crypto CCP Cleanup Deref
CVE-2026-45959
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
KernelScan AI5.5MEDIUM
01Description
In the Linux kernel, the following vulnerability has been resolved: crypto: ccp - Fix a crash due to incorrect cleanup usage of kfree Annotating a local pointer variable, which will be assigned with the kmalloc-family functions, with the `__cleanup(kfree)` attribute will make the address of the local variable, rather than the address returned by kmalloc, passed to kfree directly and lead to a crash due to invalid deallocation of stack address. According to other places in the repo, the correct usage should be `__free(kfree)`. The code coincidentally compiled because the parameter type `void *` of kfree is compatible with the desired type `struct { ... } **`.
02KernelScan AI Analysis
Risk summary
Local users with access to CCP crypto operations can trigger a kernel crash by causing incorrect cleanup of stack memory. The bug affects systems with AMD CCP (Cryptographic Coprocessor) hardware when performing AES-GCM operations. This results in a denial of service through kernel panic.
Vulnerability analysis
The root cause is incorrect usage of the __cleanup(kfree) attribute on a pointer variable. The cleanup mechanism passes the address of the local variable (stack address) to kfree() instead of the heap address returned by kzalloc(), causing an invalid memory deallocation and kernel crash. The fix changes __cleanup(kfree) to __free(kfree), which correctly handles the pointer semantics and ensures the allocated heap memory address is passed to kfree(). This is a local vulnerability requiring access to crypto operations, typically needing at least low privileges to access /dev/crypto or similar interfaces.
03Fix Versions
| Branch | Fixed in | Patch commit |
|---|---|---|
| 6.18 | 6.18.14 | 9a3ace9b010f |
| 6.19 | 6.19.4 | 90f9090e3e74 |
| mainline | 7.0 | d5abcc33ee76 |