lib/crypto: mpi: Fix integer underflow in mpi_read_raw_from_sgl()

Summary

CVE	CVE-2026-43492
State	PUBLISHED
Assigner	Linux
Source Priority	CVE Program / NVD first with legacy fallback
Published	2026-05-19 12:16:18 UTC
Updated	2026-05-19 12:16:18 UTC
Description	In the Linux kernel, the following vulnerability has been resolved: lib/crypto: mpi: Fix integer underflow in mpi_read_raw_from_sgl() Yiming reports an integer underflow in mpi_read_raw_from_sgl() when subtracting "lzeros" from the unsigned "nbytes". For this to happen, the scatterlist "sgl" needs to occupy more bytes than the "nbytes" parameter and the first "nbytes + 1" bytes of the scatterlist must be zero. Under these conditions, the while loop iterating over the scatterlist will count more zeroes than "nbytes", subtract the number of zeroes from "nbytes" and cause the underflow. When commit 2d4d1eea540b ("lib/mpi: Add mpi sgl helpers") originally introduced the bug, it couldn't be triggered because all callers of mpi_read_raw_from_sgl() passed a scatterlist whose length was equal to "nbytes". However since commit 63ba4d67594a ("KEYS: asymmetric: Use new crypto interface without scatterlists"), the underflow can now actually be triggered. When invoking a KEYCTL_PKEY_ENCRYPT system call with a larger "out_len" than "in_len" and filling the "in" buffer with zeroes, crypto_akcipher_sync_prep() will create an all-zero scatterlist used for both the "src" and "dst" member of struct akcipher_request and thereby fulfil the conditions to trigger the bug: sys_keyctl() keyctl_pkey_e_d_s() asymmetric_key_eds_op() software_key_eds_op() crypto_akcipher_sync_encrypt() crypto_akcipher_sync_prep() crypto_akcipher_encrypt() rsa_enc() mpi_read_raw_from_sgl() To the user this will be visible as a DoS as the kernel spins forever, causing soft lockup splats as a side effect. Fix it.

Risk And Classification

EPSS: 0.000240000 probability, percentile 0.070660000 (date 2026-05-28)

Vendor Declared Affected Products

Source	Vendor	Product	Version	Platforms
CNA	Linux	Linux	affected 2d4d1eea540b27c72488fd1914674c42473d53df 2aa77a18dc7f2670497fe3ee5acbeda0b57659e5 git	Not specified
CNA	Linux	Linux	affected 2d4d1eea540b27c72488fd1914674c42473d53df 26d3a97ad46c7a9226ec04d4bf35bd4998a97d16 git	Not specified
CNA	Linux	Linux	affected 2d4d1eea540b27c72488fd1914674c42473d53df 8637dfb4c1d8a7026ef681f2477c6de8b71c4003 git	Not specified
CNA	Linux	Linux	affected 2d4d1eea540b27c72488fd1914674c42473d53df 30e513e755bb381afce6fb57cdc8694136193f22 git	Not specified
CNA	Linux	Linux	affected 2d4d1eea540b27c72488fd1914674c42473d53df 8c2f1288250a90a4b5cabed5d888d7e3aeed4035 git	Not specified
CNA	Linux	Linux	affected 4.4	Not specified
CNA	Linux	Linux	unaffected 4.4 semver	Not specified
CNA	Linux	Linux	unaffected 6.6.140 6.6.* semver	Not specified
CNA	Linux	Linux	unaffected 6.12.88 6.12.* semver	Not specified
CNA	Linux	Linux	unaffected 6.18.30 6.18.* semver	Not specified
CNA	Linux	Linux	unaffected 7.0.7 7.0.* semver	Not specified
CNA	Linux	Linux	unaffected 7.1-rc1 * original_commit_for_fix	Not specified

References

Reference	Source	Link	Tags
git.kernel.org/stable/c/30e513e755bb381afce6fb57cdc8694136193f22	416baaa9-dc9f-4396-8d5f-8c081fb06d67	git.kernel.org
git.kernel.org/stable/c/8c2f1288250a90a4b5cabed5d888d7e3aeed4035	416baaa9-dc9f-4396-8d5f-8c081fb06d67	git.kernel.org
git.kernel.org/stable/c/2aa77a18dc7f2670497fe3ee5acbeda0b57659e5	416baaa9-dc9f-4396-8d5f-8c081fb06d67	git.kernel.org
git.kernel.org/stable/c/26d3a97ad46c7a9226ec04d4bf35bd4998a97d16	416baaa9-dc9f-4396-8d5f-8c081fb06d67	git.kernel.org
git.kernel.org/stable/c/8637dfb4c1d8a7026ef681f2477c6de8b71c4003	416baaa9-dc9f-4396-8d5f-8c081fb06d67	git.kernel.org
CVE Program record	CVE.ORG	www.cve.org	canonical
NVD vulnerability detail	NVD	nvd.nist.gov	canonical, analysis

No vendor comments have been submitted for this CVE.

There are currently no legacy QID mappings associated with this CVE.