VYPR
← All advisories
Unrated severityNVD Advisory· Published May 27, 2026· Updated May 27, 2026

CVE-2026-45937

CVE-2026-45937

Description

In the Linux kernel, the following vulnerability has been resolved:

crypto: inside-secure/eip93 - fix kernel panic in driver detach

During driver detach, the same hash algorithm is unregistered multiple times due to a wrong iterator.

Affected products

1

Patches

6
b6e32ba6d325

crypto: inside-secure/eip93 - fix kernel panic in driver detach

https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitAleksander Jan BajkowskiDec 30, 2025Fixed in 7.0via kernel-cna
commit
1 file changed · +1 2
  • drivers/crypto/inside-secure/eip93/eip93-main.c+1 2 modified
    diff --git a/drivers/crypto/inside-secure/eip93/eip93-main.c b/drivers/crypto/inside-secure/eip93/eip93-main.c
index 0b38a567da0e01..3cdc3308dcac86 100644
--- a/drivers/crypto/inside-secure/eip93/eip93-main.c
+++ b/drivers/crypto/inside-secure/eip93/eip93-main.c
@@ -90,7 +90,7 @@ static void eip93_unregister_algs(unsigned int i)
 			crypto_unregister_aead(&eip93_algs[j]->alg.aead);
 			break;
 		case EIP93_ALG_TYPE_HASH:
-			crypto_unregister_ahash(&eip93_algs[i]->alg.ahash);
+			crypto_unregister_ahash(&eip93_algs[j]->alg.ahash);
 			break;
 		}
 	}
-- 
cgit 1.3-korg
7530c3595d1e

crypto: inside-secure/eip93 - fix kernel panic in driver detach

https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitAleksander Jan BajkowskiDec 30, 2025Fixed in 6.18.14via kernel-cna
commit
1 file changed · +1 2
  • drivers/crypto/inside-secure/eip93/eip93-main.c+1 2 modified
    diff --git a/drivers/crypto/inside-secure/eip93/eip93-main.c b/drivers/crypto/inside-secure/eip93/eip93-main.c
index 0b38a567da0e01..3cdc3308dcac86 100644
--- a/drivers/crypto/inside-secure/eip93/eip93-main.c
+++ b/drivers/crypto/inside-secure/eip93/eip93-main.c
@@ -90,7 +90,7 @@ static void eip93_unregister_algs(unsigned int i)
 			crypto_unregister_aead(&eip93_algs[j]->alg.aead);
 			break;
 		case EIP93_ALG_TYPE_HASH:
-			crypto_unregister_ahash(&eip93_algs[i]->alg.ahash);
+			crypto_unregister_ahash(&eip93_algs[j]->alg.ahash);
 			break;
 		}
 	}
-- 
cgit 1.3-korg
91c6f25075a8

crypto: inside-secure/eip93 - fix kernel panic in driver detach

https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitAleksander Jan BajkowskiDec 30, 2025Fixed in 6.19.4via kernel-cna
commit
1 file changed · +1 2
  • drivers/crypto/inside-secure/eip93/eip93-main.c+1 2 modified
    diff --git a/drivers/crypto/inside-secure/eip93/eip93-main.c b/drivers/crypto/inside-secure/eip93/eip93-main.c
index 0b38a567da0e01..3cdc3308dcac86 100644
--- a/drivers/crypto/inside-secure/eip93/eip93-main.c
+++ b/drivers/crypto/inside-secure/eip93/eip93-main.c
@@ -90,7 +90,7 @@ static void eip93_unregister_algs(unsigned int i)
 			crypto_unregister_aead(&eip93_algs[j]->alg.aead);
 			break;
 		case EIP93_ALG_TYPE_HASH:
-			crypto_unregister_ahash(&eip93_algs[i]->alg.ahash);
+			crypto_unregister_ahash(&eip93_algs[j]->alg.ahash);
 			break;
 		}
 	}
-- 
cgit 1.3-korg
b6e32ba6d325

crypto: inside-secure/eip93 - fix kernel panic in driver detach

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.gitAleksander Jan BajkowskiDec 30, 2025via nvd-ref
commit
1 file changed · +1 2
  • drivers/crypto/inside-secure/eip93/eip93-main.c+1 2 modified
    diff --git a/drivers/crypto/inside-secure/eip93/eip93-main.c b/drivers/crypto/inside-secure/eip93/eip93-main.c
index 0b38a567da0e01..3cdc3308dcac86 100644
--- a/drivers/crypto/inside-secure/eip93/eip93-main.c
+++ b/drivers/crypto/inside-secure/eip93/eip93-main.c
@@ -90,7 +90,7 @@ static void eip93_unregister_algs(unsigned int i)
 			crypto_unregister_aead(&eip93_algs[j]->alg.aead);
 			break;
 		case EIP93_ALG_TYPE_HASH:
-			crypto_unregister_ahash(&eip93_algs[i]->alg.ahash);
+			crypto_unregister_ahash(&eip93_algs[j]->alg.ahash);
 			break;
 		}
 	}
-- 
cgit 1.3-korg
91c6f25075a8

crypto: inside-secure/eip93 - fix kernel panic in driver detach

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.gitAleksander Jan BajkowskiDec 30, 2025via nvd-ref
commit
1 file changed · +1 2
  • drivers/crypto/inside-secure/eip93/eip93-main.c+1 2 modified
    diff --git a/drivers/crypto/inside-secure/eip93/eip93-main.c b/drivers/crypto/inside-secure/eip93/eip93-main.c
index 0b38a567da0e01..3cdc3308dcac86 100644
--- a/drivers/crypto/inside-secure/eip93/eip93-main.c
+++ b/drivers/crypto/inside-secure/eip93/eip93-main.c
@@ -90,7 +90,7 @@ static void eip93_unregister_algs(unsigned int i)
 			crypto_unregister_aead(&eip93_algs[j]->alg.aead);
 			break;
 		case EIP93_ALG_TYPE_HASH:
-			crypto_unregister_ahash(&eip93_algs[i]->alg.ahash);
+			crypto_unregister_ahash(&eip93_algs[j]->alg.ahash);
 			break;
 		}
 	}
-- 
cgit 1.3-korg
7530c3595d1e

crypto: inside-secure/eip93 - fix kernel panic in driver detach

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.gitAleksander Jan BajkowskiDec 30, 2025via nvd-ref
commit
1 file changed · +1 2
  • drivers/crypto/inside-secure/eip93/eip93-main.c+1 2 modified
    diff --git a/drivers/crypto/inside-secure/eip93/eip93-main.c b/drivers/crypto/inside-secure/eip93/eip93-main.c
index 0b38a567da0e01..3cdc3308dcac86 100644
--- a/drivers/crypto/inside-secure/eip93/eip93-main.c
+++ b/drivers/crypto/inside-secure/eip93/eip93-main.c
@@ -90,7 +90,7 @@ static void eip93_unregister_algs(unsigned int i)
 			crypto_unregister_aead(&eip93_algs[j]->alg.aead);
 			break;
 		case EIP93_ALG_TYPE_HASH:
-			crypto_unregister_ahash(&eip93_algs[i]->alg.ahash);
+			crypto_unregister_ahash(&eip93_algs[j]->alg.ahash);
 			break;
 		}
 	}
-- 
cgit 1.3-korg

Vulnerability mechanics

Root cause

"Use of wrong loop iterator variable `i` instead of `j` in the hash algorithm unregistration path causes the same algorithm to be unregistered multiple times."

Attack vector

No attacker-triggered preconditions are required; the bug manifests during normal driver detach (e.g., module removal or device unbind). When the kernel iterates over registered algorithms in `eip93_unregister_algs()`, the hash case uses the outer loop index `i` instead of the inner loop index `j`, causing the same hash algorithm to be passed to `crypto_unregister_ahash()` on every iteration. This double-unregistration triggers a kernel panic [patch_id=2661181].

Affected code

The bug is in `drivers/crypto/inside-secure/eip93/eip93-main.c` in the function `eip93_unregister_algs()` [patch_id=2661181]. The `case EIP93_ALG_TYPE_HASH` branch incorrectly indexes into `eip93_algs` with the outer loop variable `i` instead of the inner loop variable `j`.

What the fix does

The patch changes `crypto_unregister_ahash(&eip93_algs[i]->alg.ahash)` to `crypto_unregister_ahash(&eip93_algs[j]->alg.ahash)` in `eip93-main.c` [patch_id=2661181]. The variable `i` is the outer loop index that remains constant across the inner loop, while `j` is the correct inner-loop iterator that walks through each algorithm entry. Using `j` ensures each hash algorithm is unregistered exactly once, preventing the double-unregister panic.

Preconditions

  • configThe EIP93 crypto driver must be loaded and then detached (module removal or device unbind).
  • inputAt least one hash algorithm must have been registered by the driver.

Generated on May 27, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

3

News mentions

0

No linked articles in our index yet.