VYPR
← All advisories
High severity7.8NVD Advisory· Published May 1, 2026· Updated May 8, 2026

CVE-2026-43033

CVE-2026-43033

Description

In the Linux kernel, the following vulnerability has been resolved:

crypto: authencesn - Do not place hiseq at end of dst for out-of-place decryption

When decrypting data that is not in-place (src != dst), there is no need to save the high-order sequence bits in dst as it could simply be re-copied from the source.

However, the data to be hashed need to be rearranged accordingly.

Thanks,

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

In the Linux kernel's authencesn crypto module, out-of-place decryption incorrectly places high-order sequence bits at the end of the destination buffer, potentially causing data corruption.

Vulnerability

Description

CVE-2026-43033 is a vulnerability in the Linux kernel's crypto: authencesn module. The issue occurs during out-of-place decryption (when the source and destination buffers are different). In this scenario, the code incorrectly saves the high-order sequence number (hiseq) at the end of the destination buffer, even though it is unnecessary because the data can be re-copied from the source. This misplaced data can lead to corruption of the decrypted output.

Exploitation

An attacker would need to trigger an out-of-place decryption operation using the authencesn algorithm. This requires the ability to send crafted network packets or data that the kernel processes through this crypto module. No authentication is required beyond the ability to interact with the affected subsystem. The attack surface is local or network-based, depending on how the authencesn algorithm is used (e.g., in IPsec or other cryptographic protocols).

Impact

Successful exploitation could cause data corruption during decryption, potentially leading to system instability or denial of service. The vulnerability has a CVSS v3 score of 7.8.8 (High), indicating significant impact on confidentiality, integrity, and availability.

Mitigation

The fix has been applied in the Linux kernel stable tree via commits [1], [2], [3], and [4]. Users should update to a kernel version containing these patches. No workarounds are documented; the recommended action is to apply the kernel update.

References
  1. Making sure you're not a bot!
  2. Making sure you're not a bot!
  3. Making sure you're not a bot!
  4. Making sure you're not a bot!

AI Insight generated on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

7
  • Linux/Kernel7 versions
    cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*+ 6 more
    • cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*range: >=4.3,<5.10.254
    • cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*
    • cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*
    • cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*
    • cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*
    • cpe:2.3:o:linux:linux_kernel:7.0:rc5:*:*:*:*:*:*
    • cpe:2.3:o:linux:linux_kernel:7.0:rc6:*:*:*:*:*:*

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

News mentions

1