2464487 – (CVE-2026-43043) CVE-2026-43043 kernel: crypto: af-alg - fix NULL pointer dereference in scatterwalk

Bug 2464487 (CVE-2026-43043) - CVE-2026-43043 kernel: crypto: af-alg - fix NULL pointer dereference in scatterwalk

Summary: CVE-2026-43043 kernel: crypto: af-alg - fix NULL pointer dereference in scatt...

Keywords:
Status:	NEW
Alias:	CVE-2026-43043
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2026-05-01 15:09 UTC by OSIDB Bzimport
Modified:	2026-05-01 18:15 UTC (History)
CC List:	2 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description OSIDB Bzimport 2026-05-01 15:09:33 UTC

In the Linux kernel, the following vulnerability has been resolved:

crypto: af-alg - fix NULL pointer dereference in scatterwalk

The AF_ALG interface fails to unmark the end of a Scatter/Gather List (SGL)
when chaining a new af_alg_tsgl structure. If a sendmsg() fills an SGL
exactly to MAX_SGL_ENTS, the last entry is marked as the end. A subsequent
sendmsg() allocates a new SGL and chains it, but fails to clear the end
marker on the previous SGL's last data entry.

This causes the crypto scatterwalk to hit a premature end, returning NULL
on sg_next() and leading to a kernel panic during dereference.

Fix this by explicitly unmarking the end of the previous SGL when
performing sg_chain() in af_alg_alloc_tsgl().

Comment 1 Keith Grant 2026-05-01 18:12:28 UTC

Upstream advisory:
https://lore.kernel.org/linux-cve-announce/2026050104-CVE-2026-43043-6997@gregkh/T

Note You need to log in before you can comment on or make changes to this bug.