CVE-2026-23222
Description
In the Linux kernel, the following vulnerability has been resolved:
crypto: omap - Allocate OMAP_CRYPTO_FORCE_COPY scatterlists correctly
The existing allocation of scatterlists in omap_crypto_copy_sg_lists() was allocating an array of scatterlist pointers, not scatterlist objects, resulting in a 4x too small allocation.
Use sizeof(*new_sg) to get the correct object size.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A memory allocation bug in the Linux kernel's OMAP crypto driver uses sizeof(pointer) instead of sizeof(struct), leading to a 4x undersized scatterlist array and potential memory corruption.
Vulnerability
CVE-2026-23222 is a memory allocation error in the Linux kernel's OMAP cryptographic driver. The function omap_crypto_copy_sg_lists() allocates an array of scatterlist arrays using sizeof(*new_sg) incorrectly — it was using sizeof(new_sg) which gives the size of a pointer (8 bytes on 64-bit) rather than the size of a struct scatterlist (32 bytes). This results in an allocation that is 4 times too small, leading to out-of-bounds writes when the scatterlist is populated.
Exploitation
An attacker would need to trigger a cryptographic operation that invokes the OMAP crypto driver's scatterlist copy path. This typically requires local access to the system and the ability to submit crypto requests (e.g., via AF_ALG or a kernel crypto API user). No special privileges beyond being able to use the crypto subsystem are required. The bug manifests when the driver copies scatterlists for hardware crypto offload, causing writes beyond the allocated buffer.
Impact
Successful exploitation could lead to memory corruption, potentially allowing an attacker to escalate privileges or cause a denial of service (system crash). The CVSS v3 score of 7.8 (High) reflects the possibility of local privilege escalation with low attack complexity.
Mitigation
The fix corrects the allocation to use sizeof(*new_sg), ensuring the proper object size. Patches have been applied to the Linux kernel stable trees [1][2][3]. Users should update to a kernel version 6.14 or later to include the fix.
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
8- git.kernel.org/stable/c/1562b1fb7e17c1b3addb15e125c718b2be7f5512nvdPatch
- git.kernel.org/stable/c/2ed27b5a1174351148c3adbfc0cd86d54072ba2envdPatch
- git.kernel.org/stable/c/31aff96a41ae6f1f1687c065607875a27c364da8nvdPatch
- git.kernel.org/stable/c/6edf8df4bd29f7bfd245b67b2c31d905f1cfc14bnvdPatch
- git.kernel.org/stable/c/79f95b51d4278044013672c27519ae88d07013d8nvdPatch
- git.kernel.org/stable/c/953c81941b0ad373674656b8767c00234ebf17acnvdPatch
- git.kernel.org/stable/c/c184341920ed78b6466360ed7b45b8922586c38fnvdPatch
- git.kernel.org/stable/c/d1836c628cb72734eb5f7dfd4c996a9c18bba3adnvdPatch
News mentions
0No linked articles in our index yet.