CVE-2026-23044

Root

Cause

The Linux kernel's hibernation (suspend-to-disk) code in save_compressed_image() and load_compressed_image() calls crypto_free_acomp() without first verifying that the compressor handle is valid. When crypto_alloc_acomp() fails, it returns an ERR_PTR value rather than NULL. The cleanup path unconditionally passes this invalid pointer to crypto_free_acomp(), which internally calls crypto_acomp_tfm() and dereferences the error value, causing a kernel crash [1][2].

Attack

Vector

An attacker with local access can trigger this bug by ensuring the requested compression algorithm (e.g., LZO) is not available in the kernel configuration (e.g., CONFIG_CRYPTO_LZO disabled). When the system attempts to hibernate or resume from hibernation, the missing algorithm causes crypto_alloc_acomp_alloc() to fail, and the subsequent cleanup dereferences the ERR_PTR, crashing the kernel. No special privileges beyond the ability to initiate hibernation are required.

Impact

The fix adds IS_ERR_OR_NULL() checks before calling crypto_free_acomp() and acomp_request_free(), mirroring the existing kthread_stop() check. This prevents the invalid pointer dereference and ensures graceful cleanup when a compressor allocation fails [1][2].

Mitigation

The patch has been applied to the Linux kernel stable tree. Users should update to a kernel version containing the commit `7966cf0ebe32 commit (or equivalent backport). No workaround is available other than ensuring the required crypto algorithm is built into the kernel or loaded as a module.