CVE-2006-0095
Description
dm-crypt in Linux kernel 2.6.15 and earlier does not clear a structure before it is freed, which leads to a memory disclosure that could allow local users to obtain sensitive information about a cryptographic key.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
48cpe:2.3:o:linux:linux_kernel:2.6.0:*:*:*:*:*:*:*+ 47 more
- cpe:2.3:o:linux:linux_kernel:2.6.0:*:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:2.6.1:*:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:2.6.10:*:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:2.6.11:*:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:2.6.11.1:*:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:2.6.11.10:*:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:2.6.11.11:*:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:2.6.11.12:*:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:2.6.11.2:*:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:2.6.11.3:*:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:2.6.11.4:*:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:2.6.11.5:*:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:2.6.11.6:*:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:2.6.11.7:*:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:2.6.11.8:*:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:2.6.11.9:*:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:2.6.12:*:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:2.6.12.1:*:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:2.6.12.2:*:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:2.6.12.3:*:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:2.6.12.4:*:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:2.6.13:*:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:2.6.14:*:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:2.6.14.1:*:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:2.6.14.2:*:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:2.6.14.3:*:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:2.6.14.4:*:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:2.6.14:rc1:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:2.6.14:rc2:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:2.6.14:rc3:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:2.6.14:rc4:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:2.6.15:*:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:2.6.15:rc1:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:2.6.15:rc3:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:2.6.15:rc4:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:2.6.15:rc5:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:2.6.15:rc6:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:2.6.15:rc7:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:2.6.2:*:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:2.6.3:*:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:2.6.4:*:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:2.6.5:*:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:2.6.6:*:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:2.6.7:*:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:2.6.8:*:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:2.6.8.1:*:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:2.6.9:2.6.20:*:*:*:*:*:*
- (no CPE)range: <=2.6.15
Patches
Vulnerability mechanics
Root cause
"dm-crypt does not zero the struct crypt_config (containing the cryptographic key) before freeing it, allowing sensitive key material to persist in freed memory."
Attack vector
A local user can exploit the missing memory-clearing step to obtain sensitive cryptographic key information. After the dm-crypt device is removed or fails to initialize, the kernel frees the `struct crypt_config` without zeroing it. The freed memory may be reallocated to another process or written to a swap image (e.g. a swsusp image), allowing the local attacker to read the residual key material [ref_id=1][ref_id=2][ref_id=3]. No network path or special privileges beyond local access are required.
Affected code
The vulnerability resides in the dm-crypt driver in `drivers/md/dm-crypt.c`. The `struct crypt_config` (which holds the cryptographic key material) was not zeroed before `kfree()` was called in the error path (`bad1` label) and in the destructor function `crypt_dtr()` [ref_id=2][ref_id=3].
What the fix does
The patch adds a `memset(cc, 0, sizeof(*cc) + cc->key_size * sizeof(u8))` call before every `kfree(cc)` in `dm-crypt.c` — both in the error-return path (label `bad1`) and in the device-destructor function `crypt_dtr()` [ref_id=2][ref_id=3]. This ensures that the entire `crypt_config` structure, including the variable-length key buffer, is overwritten with zeros before the memory is returned to the kernel allocator. Without this clearing, the freed memory could be reused by another process or written to a suspend image, leaking the encryption key.
Preconditions
- authThe attacker must have local access to the system.
- configA dm-crypt device must be removed or fail to initialize so that the struct crypt_config is freed.
Generated on Jun 17, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
23- marc.infonvd
- marc.infonvd
- secunia.com/advisories/18487nvd
- secunia.com/advisories/18527nvd
- secunia.com/advisories/18774nvd
- secunia.com/advisories/19160nvd
- secunia.com/advisories/19374nvd
- secunia.com/advisories/20398nvd
- securityreason.com/securityalert/388nvd
- securitytracker.com/idnvd
- www.debian.org/security/2006/dsa-1017nvd
- www.mandriva.com/security/advisoriesnvd
- www.novell.com/linux/security/advisories/2006-05-31.htmlnvd
- www.osvdb.org/22418nvd
- www.redhat.com/archives/fedora-announce-list/2006-February/msg00037.htmlnvd
- www.redhat.com/support/errata/RHSA-2006-0132.htmlnvd
- www.securityfocus.com/archive/1/427981/100/0/threadednvd
- www.securityfocus.com/bid/16301nvd
- www.trustix.org/errata/2006/0004nvd
- www.vupen.com/english/advisories/2006/0235nvd
- exchange.xforce.ibmcloud.com/vulnerabilities/24189nvd
- oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A11192nvd
- usn.ubuntu.com/244-1/nvd
News mentions
0No linked articles in our index yet.