CVE-2026-43492
Description
In the Linux kernel, the following vulnerability has been resolved:
lib/crypto: mpi: Fix integer underflow in mpi_read_raw_from_sgl()
Yiming reports an integer underflow in mpi_read_raw_from_sgl() when subtracting "lzeros" from the unsigned "nbytes".
For this to happen, the scatterlist "sgl" needs to occupy more bytes than the "nbytes" parameter and the first "nbytes + 1" bytes of the scatterlist must be zero. Under these conditions, the while loop iterating over the scatterlist will count more zeroes than "nbytes", subtract the number of zeroes from "nbytes" and cause the underflow.
When commit 2d4d1eea540b ("lib/mpi: Add mpi sgl helpers") originally introduced the bug, it couldn't be triggered because all callers of mpi_read_raw_from_sgl() passed a scatterlist whose length was equal to "nbytes".
However since commit 63ba4d67594a ("KEYS: asymmetric: Use new crypto interface without scatterlists"), the underflow can now actually be triggered. When invoking a KEYCTL_PKEY_ENCRYPT system call with a larger "out_len" than "in_len" and filling the "in" buffer with zeroes, crypto_akcipher_sync_prep() will create an all-zero scatterlist used for both the "src" and "dst" member of struct akcipher_request and thereby fulfil the conditions to trigger the bug:
sys_keyctl() keyctl_pkey_e_d_s() asymmetric_key_eds_op() software_key_eds_op() crypto_akcipher_sync_encrypt() crypto_akcipher_sync_prep() crypto_akcipher_encrypt() rsa_enc() mpi_read_raw_from_sgl()
To the user this will be visible as a DoS as the kernel spins forever, causing soft lockup splats as a side effect.
Fix it.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Integer underflow in Linux kernel's mpi_read_raw_from_sgl() can cause infinite loop DoS when processing crafted scatterlist from KEYCTL_PKEY_ENCRYPT.
Vulnerability
An integer underflow exists in mpi_read_raw_from_sgl() in lib/crypto/mpi when subtracting leading zero bytes from an unsigned nbytes variable. The bug was originally introduced in commit 2d4d1eea540b and becomes triggerable after commit 63ba4d67594a, which allows a larger out_len than in_len in the KEYCTL_PKEY_ENCRYPT system call to create an all-zero scatterlist used for both source and destination, causing the zero count to exceed nbytes and underflow.
Exploitation
An attacker must be able to invoke the KEYCTL_PKEY_ENCRYPT system call with a larger out_len than in_len and fill the input buffer with zeroes. This causes crypto_akcipher_sync_prep() to create an all-zero scatterlist that meets the conditions for the underflow. No special privileges are required if the syscall is accessible to unprivileged users.
Impact
A successful exploit causes the kernel to enter an infinite loop, resulting in a denial of service (DoS) with soft lockup splats. No code execution, privilege escalation, or information disclosure is achieved.
Mitigation
The vulnerability is fixed in the following kernel stable commits: [1], [2], [3], [4]. Users should update to a patched kernel version. No workaround is available. This CVE is not listed on the Known Exploited Vulnerabilities (KEV) catalog.
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
1026d3a97ad46c8637dfb4c1d830e513e755bb8c2f1288250a2aa77a18dc7f30e513e755bb8637dfb4c1d82aa77a18dc7f8c2f1288250a26d3a97ad46cVulnerability mechanics
Root cause
"Integer underflow in mpi_read_raw_from_sgl() when subtracting a zero-byte count (lzeros) from the unsigned nbytes parameter without a bounds check."
Attack vector
An attacker triggers the bug via a KEYCTL_PKEY_ENCRYPT system call with a larger out_len than in_len, filling the input buffer with zeroes. This causes crypto_akcipher_sync_prep() to create an all-zero scatterlist used for both src and dst. The while loop in mpi_read_raw_from_sgl() counts more leading zero bytes than nbytes, and subtracting that count from the unsigned nbytes produces an integer underflow, leading to an infinite loop and kernel soft lockup.
Affected code
The vulnerable function is mpi_read_raw_from_sgl() in lib/crypto/mpi/mpicoder.c (or similar path under lib/crypto/mpi/). The defect is in the while loop that counts leading zero bytes (lzeros) from the scatterlist and then subtracts lzeros from the unsigned nbytes variable without checking whether lzeros exceeds nbytes.
What the fix does
The patch [patch_id=602985] adds a check so that if lzeros exceeds nbytes, the function returns an error (-EINVAL) instead of performing the subtraction. This prevents the integer underflow. The fix also ensures that when nbytes is reduced to zero after subtracting lzeros, the function returns a valid zero-length MPI rather than proceeding with a corrupted length value.
Preconditions
- inputThe scatterlist must contain more leading zero bytes than the nbytes parameter value
- inputThe first nbytes+1 bytes of the scatterlist must be zero
- networkLocal access required to invoke KEYCTL_PKEY_ENCRYPT system call
Generated on May 19, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- git.kernel.org/stable/c/26d3a97ad46c7a9226ec04d4bf35bd4998a97d16nvd
- git.kernel.org/stable/c/2aa77a18dc7f2670497fe3ee5acbeda0b57659e5nvd
- git.kernel.org/stable/c/30e513e755bb381afce6fb57cdc8694136193f22nvd
- git.kernel.org/stable/c/8637dfb4c1d8a7026ef681f2477c6de8b71c4003nvd
- git.kernel.org/stable/c/8c2f1288250a90a4b5cabed5d888d7e3aeed4035nvd
News mentions
0No linked articles in our index yet.