VYPR
← All advisories
Critical severity9.8NVD Advisory· Published May 19, 2026· Updated May 20, 2026

CVE-2026-43493

CVE-2026-43493

Description

In the Linux kernel, the following vulnerability has been resolved:

crypto: pcrypt - Fix handling of MAY_BACKLOG requests

MAY_BACKLOG requests can return EBUSY. Handle them by checking for that value and filtering out EINPROGRESS notifications.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Linux kernel crypto pcrypt missing EBUSY handling for MAY_BACKLOG requests can cause use-after-free or crash.

Vulnerability

In the Linux kernel's crypto/pcrypt subsystem, a flaw exists in how MAY_BACKLOG requests are handled. Requests with the MAY_BACKLOG flag can return -EBUSY when the crypto backend is congested; however, the pcrypt code did not check for this return value and incorrectly filtered out EINPROGRESS notifications. This bug affects multiple stable kernel versions as indicated by the patches anchored at commits [1], [2], [3], and [4].

Exploitation

An attacker able to submit MAY_BACKLOG requests to the pcrypt subsystem (e.g., via a local process making AF_ALG socket calls or through other crypto operations that reach pcrypt) can trigger a race condition. When the backend returns -EBUSY, the missing error handling causes the request to be treated as completed prematurely, potentially leading to use of freed memory or double completion. No special privileges are required if the attacker has local access and the kernel is configured with pcrypt.

Impact

Successful exploitation can lead to memory corruption, a kernel crash (denial of service), or potentially arbitrary code execution due to use-after-free of crypto request structures. The CVSS v3 score of 9.8 (Critical) reflects the possibility of remote exploitation if the attack surface is reachable over the network, though the primary vector is local. The impact includes complete loss of confidentiality, integrity, and availability.

Mitigation

The vulnerability is fixed by applying the kernel patches referenced in commits [1], [2], [3], and [4]. System administrators should update to the latest stable kernels containing these fixes as soon as possible. If a kernel update is not immediately feasible, the pcrypt module can be blacklisted via /etc/modprobe.d/blacklist.conf as a workaround, provided it is not required for operation. No evidence of inclusion in CISA's Known Exploited Vulnerabilities (KEV) catalog was found at the time of writing.

References
  1. Making sure you're not a bot!
  2. Making sure you're not a bot!
  3. Making sure you're not a bot!
  4. Making sure you're not a bot!

AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

1

Patches

10
eb34e243df57
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitFixed in 6.12.86via kernel-cna
commit
77d55bc8675e
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitFixed in 6.18.27via kernel-cna
commit
915b692e6cb7
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitFixed in 7.1-rc1via kernel-cna
commit
46271895ddfb
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitFixed in 7.0.4via kernel-cna
commit
9f1cbca178c0
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitFixed in 6.6.140via kernel-cna
commit
9f1cbca178c0
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.gitvia nvd-ref
commit
46271895ddfb
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.gitvia nvd-ref
commit
77d55bc8675e
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.gitvia nvd-ref
commit
915b692e6cb7
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.gitvia nvd-ref
commit
eb34e243df57
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.gitvia nvd-ref
commit

Vulnerability mechanics

Root cause

"Missing handling of EBUSY return from MAY_BACKLOG crypto requests in pcrypt, causing EINPROGRESS notifications to be incorrectly filtered."

Attack vector

An attacker can trigger this bug by submitting crypto requests with the MAY_BACKLOG flag set to the pcrypt subsystem. When the crypto backend is busy, such requests return EBUSY instead of EINPROGRESS. The pcrypt completion handler fails to recognize EBUSY as a valid return, leading to missed or incorrect completion notifications. This can cause the submitting process to hang indefinitely waiting for a completion that will never arrive, or to misinterpret the request state.

Affected code

The vulnerability exists in the pcrypt completion handler within the Linux kernel's crypto subsystem. The patch files (patch_ids 602980-602984) modify the pcrypt request completion logic to properly handle EBUSY return values from MAY_BACKLOG requests. The exact function names and file paths are not specified in the advisory, but the changes are in the pcrypt (parallel crypto) layer.

What the fix does

The patch adds explicit handling for the EBUSY return value that MAY_BACKLOG requests can produce. In the pcrypt completion path, the code now checks for EBUSY and treats it similarly to EINPROGRESS, ensuring that backlogged requests receive proper completion notifications. The fix also filters out duplicate EINPROGRESS notifications that could previously occur when a request was both backlogged and in progress. This closes the gap where a MAY_BACKLOG request returning EBUSY would be silently dropped without any completion signal.

Preconditions

  • inputAttacker must be able to submit crypto requests with the MAY_BACKLOG flag set to the pcrypt subsystem.
  • configThe crypto backend must be under sufficient load that it returns EBUSY for backlogged requests.

Generated on May 19, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

5

News mentions

0

No linked articles in our index yet.