Unrated severityNVD Advisory· Published May 27, 2026· Updated May 27, 2026

CVE-2026-45959

Description

In the Linux kernel, the following vulnerability has been resolved:

crypto: ccp - Fix a crash due to incorrect cleanup usage of kfree

Annotating a local pointer variable, which will be assigned with the kmalloc-family functions, with the __cleanup(kfree) attribute will make the address of the local variable, rather than the address returned by kmalloc, passed to kfree directly and lead to a crash due to invalid deallocation of stack address. According to other places in the repo, the correct usage should be __free(kfree). The code coincidentally compiled because the parameter type void * of kfree is compatible with the desired type struct { ... } **.

Affected products

Linux/Kernelllm-fuzzy

Patches

90f9090e3e74

crypto: ccp - Fix a crash due to incorrect cleanup usage of kfree

https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitElla MaFixed in 6.19.4via kernel-cna

commit

2 files changed · +2 −4

drivers/crypto/ccp/ccp-ops.c+1 −2 modified

diff --git a/drivers/crypto/ccp/ccp-ops.c b/drivers/crypto/ccp/ccp-ops.c
index d78865d9d5f09c..d0412e58476253 100644
--- a/drivers/crypto/ccp/ccp-ops.c
+++ b/drivers/crypto/ccp/ccp-ops.c
@@ -642,7 +642,7 @@ ccp_run_aes_gcm_cmd(struct ccp_cmd_queue *cmd_q, struct ccp_cmd *cmd)
 		struct ccp_data dst;
 		struct ccp_data aad;
 		struct ccp_op op;
-	} *wa __cleanup(kfree) = kzalloc(sizeof *wa, GFP_KERNEL);
+	} *wa __free(kfree) = kzalloc(sizeof(*wa), GFP_KERNEL);
 	unsigned int dm_offset;
 	unsigned int authsize;
 	unsigned int jobid;
-- 
cgit 1.3-korg

drivers/crypto/ccp/ccp-ops.c+1 −2 modified

diff --git a/drivers/crypto/ccp/ccp-ops.c b/drivers/crypto/ccp/ccp-ops.c
index d78865d9d5f09c..d0412e58476253 100644
--- a/drivers/crypto/ccp/ccp-ops.c
+++ b/drivers/crypto/ccp/ccp-ops.c
@@ -642,7 +642,7 @@ ccp_run_aes_gcm_cmd(struct ccp_cmd_queue *cmd_q, struct ccp_cmd *cmd)
 		struct ccp_data dst;
 		struct ccp_data aad;
 		struct ccp_op op;
-	} *wa __cleanup(kfree) = kzalloc(sizeof *wa, GFP_KERNEL);
+	} *wa __free(kfree) = kzalloc(sizeof(*wa), GFP_KERNEL);
 	unsigned int dm_offset;
 	unsigned int authsize;
 	unsigned int jobid;
-- 
cgit 1.3-korg

9a3ace9b010f

crypto: ccp - Fix a crash due to incorrect cleanup usage of kfree

https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitElla MaFixed in 6.18.14via kernel-cna

commit

2 files changed · +2 −4

drivers/crypto/ccp/ccp-ops.c+1 −2 modified

diff --git a/drivers/crypto/ccp/ccp-ops.c b/drivers/crypto/ccp/ccp-ops.c
index d78865d9d5f09c..d0412e58476253 100644
--- a/drivers/crypto/ccp/ccp-ops.c
+++ b/drivers/crypto/ccp/ccp-ops.c
@@ -642,7 +642,7 @@ ccp_run_aes_gcm_cmd(struct ccp_cmd_queue *cmd_q, struct ccp_cmd *cmd)
 		struct ccp_data dst;
 		struct ccp_data aad;
 		struct ccp_op op;
-	} *wa __cleanup(kfree) = kzalloc(sizeof *wa, GFP_KERNEL);
+	} *wa __free(kfree) = kzalloc(sizeof(*wa), GFP_KERNEL);
 	unsigned int dm_offset;
 	unsigned int authsize;
 	unsigned int jobid;
-- 
cgit 1.3-korg

drivers/crypto/ccp/ccp-ops.c+1 −2 modified

diff --git a/drivers/crypto/ccp/ccp-ops.c b/drivers/crypto/ccp/ccp-ops.c
index d78865d9d5f09c..d0412e58476253 100644
--- a/drivers/crypto/ccp/ccp-ops.c
+++ b/drivers/crypto/ccp/ccp-ops.c
@@ -642,7 +642,7 @@ ccp_run_aes_gcm_cmd(struct ccp_cmd_queue *cmd_q, struct ccp_cmd *cmd)
 		struct ccp_data dst;
 		struct ccp_data aad;
 		struct ccp_op op;
-	} *wa __cleanup(kfree) = kzalloc(sizeof *wa, GFP_KERNEL);
+	} *wa __free(kfree) = kzalloc(sizeof(*wa), GFP_KERNEL);
 	unsigned int dm_offset;
 	unsigned int authsize;
 	unsigned int jobid;
-- 
cgit 1.3-korg

d5abcc33ee76

crypto: ccp - Fix a crash due to incorrect cleanup usage of kfree

https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitElla MaFixed in 7.0via kernel-cna

commit

2 files changed · +2 −4

drivers/crypto/ccp/ccp-ops.c+1 −2 modified

diff --git a/drivers/crypto/ccp/ccp-ops.c b/drivers/crypto/ccp/ccp-ops.c
index d78865d9d5f09c..d0412e58476253 100644
--- a/drivers/crypto/ccp/ccp-ops.c
+++ b/drivers/crypto/ccp/ccp-ops.c
@@ -642,7 +642,7 @@ ccp_run_aes_gcm_cmd(struct ccp_cmd_queue *cmd_q, struct ccp_cmd *cmd)
 		struct ccp_data dst;
 		struct ccp_data aad;
 		struct ccp_op op;
-	} *wa __cleanup(kfree) = kzalloc(sizeof *wa, GFP_KERNEL);
+	} *wa __free(kfree) = kzalloc(sizeof(*wa), GFP_KERNEL);
 	unsigned int dm_offset;
 	unsigned int authsize;
 	unsigned int jobid;
-- 
cgit 1.3-korg

drivers/crypto/ccp/ccp-ops.c+1 −2 modified

diff --git a/drivers/crypto/ccp/ccp-ops.c b/drivers/crypto/ccp/ccp-ops.c
index d78865d9d5f09c..d0412e58476253 100644
--- a/drivers/crypto/ccp/ccp-ops.c
+++ b/drivers/crypto/ccp/ccp-ops.c
@@ -642,7 +642,7 @@ ccp_run_aes_gcm_cmd(struct ccp_cmd_queue *cmd_q, struct ccp_cmd *cmd)
 		struct ccp_data dst;
 		struct ccp_data aad;
 		struct ccp_op op;
-	} *wa __cleanup(kfree) = kzalloc(sizeof *wa, GFP_KERNEL);
+	} *wa __free(kfree) = kzalloc(sizeof(*wa), GFP_KERNEL);
 	unsigned int dm_offset;
 	unsigned int authsize;
 	unsigned int jobid;
-- 
cgit 1.3-korg

90f9090e3e74

crypto: ccp - Fix a crash due to incorrect cleanup usage of kfree

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.gitElla Mavia nvd-ref

commit

2 files changed · +2 −4

drivers/crypto/ccp/ccp-ops.c+1 −2 modified

diff --git a/drivers/crypto/ccp/ccp-ops.c b/drivers/crypto/ccp/ccp-ops.c
index d78865d9d5f09c..d0412e58476253 100644
--- a/drivers/crypto/ccp/ccp-ops.c
+++ b/drivers/crypto/ccp/ccp-ops.c
@@ -642,7 +642,7 @@ ccp_run_aes_gcm_cmd(struct ccp_cmd_queue *cmd_q, struct ccp_cmd *cmd)
 		struct ccp_data dst;
 		struct ccp_data aad;
 		struct ccp_op op;
-	} *wa __cleanup(kfree) = kzalloc(sizeof *wa, GFP_KERNEL);
+	} *wa __free(kfree) = kzalloc(sizeof(*wa), GFP_KERNEL);
 	unsigned int dm_offset;
 	unsigned int authsize;
 	unsigned int jobid;
-- 
cgit 1.3-korg

drivers/crypto/ccp/ccp-ops.c+1 −2 modified

diff --git a/drivers/crypto/ccp/ccp-ops.c b/drivers/crypto/ccp/ccp-ops.c
index d78865d9d5f09c..d0412e58476253 100644
--- a/drivers/crypto/ccp/ccp-ops.c
+++ b/drivers/crypto/ccp/ccp-ops.c
@@ -642,7 +642,7 @@ ccp_run_aes_gcm_cmd(struct ccp_cmd_queue *cmd_q, struct ccp_cmd *cmd)
 		struct ccp_data dst;
 		struct ccp_data aad;
 		struct ccp_op op;
-	} *wa __cleanup(kfree) = kzalloc(sizeof *wa, GFP_KERNEL);
+	} *wa __free(kfree) = kzalloc(sizeof(*wa), GFP_KERNEL);
 	unsigned int dm_offset;
 	unsigned int authsize;
 	unsigned int jobid;
-- 
cgit 1.3-korg

9a3ace9b010f

crypto: ccp - Fix a crash due to incorrect cleanup usage of kfree

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.gitElla Mavia nvd-ref

commit

2 files changed · +2 −4

drivers/crypto/ccp/ccp-ops.c+1 −2 modified

diff --git a/drivers/crypto/ccp/ccp-ops.c b/drivers/crypto/ccp/ccp-ops.c
index d78865d9d5f09c..d0412e58476253 100644
--- a/drivers/crypto/ccp/ccp-ops.c
+++ b/drivers/crypto/ccp/ccp-ops.c
@@ -642,7 +642,7 @@ ccp_run_aes_gcm_cmd(struct ccp_cmd_queue *cmd_q, struct ccp_cmd *cmd)
 		struct ccp_data dst;
 		struct ccp_data aad;
 		struct ccp_op op;
-	} *wa __cleanup(kfree) = kzalloc(sizeof *wa, GFP_KERNEL);
+	} *wa __free(kfree) = kzalloc(sizeof(*wa), GFP_KERNEL);
 	unsigned int dm_offset;
 	unsigned int authsize;
 	unsigned int jobid;
-- 
cgit 1.3-korg

drivers/crypto/ccp/ccp-ops.c+1 −2 modified

diff --git a/drivers/crypto/ccp/ccp-ops.c b/drivers/crypto/ccp/ccp-ops.c
index d78865d9d5f09c..d0412e58476253 100644
--- a/drivers/crypto/ccp/ccp-ops.c
+++ b/drivers/crypto/ccp/ccp-ops.c
@@ -642,7 +642,7 @@ ccp_run_aes_gcm_cmd(struct ccp_cmd_queue *cmd_q, struct ccp_cmd *cmd)
 		struct ccp_data dst;
 		struct ccp_data aad;
 		struct ccp_op op;
-	} *wa __cleanup(kfree) = kzalloc(sizeof *wa, GFP_KERNEL);
+	} *wa __free(kfree) = kzalloc(sizeof(*wa), GFP_KERNEL);
 	unsigned int dm_offset;
 	unsigned int authsize;
 	unsigned int jobid;
-- 
cgit 1.3-korg

d5abcc33ee76

crypto: ccp - Fix a crash due to incorrect cleanup usage of kfree

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.gitElla Mavia nvd-ref

commit

2 files changed · +2 −4

drivers/crypto/ccp/ccp-ops.c+1 −2 modified

diff --git a/drivers/crypto/ccp/ccp-ops.c b/drivers/crypto/ccp/ccp-ops.c
index d78865d9d5f09c..d0412e58476253 100644
--- a/drivers/crypto/ccp/ccp-ops.c
+++ b/drivers/crypto/ccp/ccp-ops.c
@@ -642,7 +642,7 @@ ccp_run_aes_gcm_cmd(struct ccp_cmd_queue *cmd_q, struct ccp_cmd *cmd)
 		struct ccp_data dst;
 		struct ccp_data aad;
 		struct ccp_op op;
-	} *wa __cleanup(kfree) = kzalloc(sizeof *wa, GFP_KERNEL);
+	} *wa __free(kfree) = kzalloc(sizeof(*wa), GFP_KERNEL);
 	unsigned int dm_offset;
 	unsigned int authsize;
 	unsigned int jobid;
-- 
cgit 1.3-korg

drivers/crypto/ccp/ccp-ops.c+1 −2 modified

diff --git a/drivers/crypto/ccp/ccp-ops.c b/drivers/crypto/ccp/ccp-ops.c
index d78865d9d5f09c..d0412e58476253 100644
--- a/drivers/crypto/ccp/ccp-ops.c
+++ b/drivers/crypto/ccp/ccp-ops.c
@@ -642,7 +642,7 @@ ccp_run_aes_gcm_cmd(struct ccp_cmd_queue *cmd_q, struct ccp_cmd *cmd)
 		struct ccp_data dst;
 		struct ccp_data aad;
 		struct ccp_op op;
-	} *wa __cleanup(kfree) = kzalloc(sizeof *wa, GFP_KERNEL);
+	} *wa __free(kfree) = kzalloc(sizeof(*wa), GFP_KERNEL);
 	unsigned int dm_offset;
 	unsigned int authsize;
 	unsigned int jobid;
-- 
cgit 1.3-korg

Vulnerability mechanics

Root cause

"Incorrect use of `__cleanup(kfree)` instead of `__free(kfree)` on a heap-allocated pointer causes the address of the local variable (on the stack) to be passed to kfree instead of the heap address returned by kzalloc."

Attack vector

An attacker does not directly control the trigger; the crash occurs automatically when the function `ccp_run_aes_gcm_cmd` is invoked during normal cryptographic operation processing by the CCP driver [patch_id=2660975]. The `__cleanup(kfree)` attribute causes the compiler to emit a call to kfree with the stack address of the local pointer variable `wa` rather than the heap address returned by kzalloc, leading to an invalid deallocation and a kernel crash [patch_id=2660977]. No special payload or elevated privileges are required beyond being able to submit an AES-GCM operation to the crypto subsystem.

Affected code

The vulnerable code is in `drivers/crypto/ccp/ccp-ops.c` in the function `ccp_run_aes_gcm_cmd` [patch_id=2660975]. The local variable `wa` (an anonymous struct pointer) was declared with `__cleanup(kfree)` instead of the correct `__free(kfree)` attribute [patch_id=2660977].

What the fix does

The patch replaces `__cleanup(kfree)` with `__free(kfree)` on the local pointer variable `wa` in `ccp_run_aes_gcm_cmd` [patch_id=2660975]. The `__cleanup` attribute passes the address of the local variable itself to the cleanup function, which for a pointer variable means kfree receives a stack address instead of the heap address. The `__free` attribute correctly passes the value of the pointer (the heap address returned by kzalloc) to kfree. The patch also adjusts `sizeof *wa` to `sizeof(*wa)` for consistency, though this is a cosmetic change [patch_id=2660977].

Preconditions

configThe kernel must have been built with CONFIG_CRYPTO_DEV_CCP enabled and the CCP driver loaded.
inputAn attacker or process must submit an AES-GCM cryptographic operation to the CCP driver, triggering ccp_run_aes_gcm_cmd.

Generated on May 27, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000