Unrated severityNVD Advisory· Published May 27, 2026· Updated May 27, 2026

CVE-2026-45986

Description

In the Linux kernel, the following vulnerability has been resolved:

crypto: ccree - fix a memory leak in cc_mac_digest()

Add cc_unmap_result() if cc_map_hash_request_final() fails to prevent potential memory leak.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

A memory leak in the Linux kernel's ccree crypto driver's cc_mac_digest() function can be triggered when cc_map_hash_request_final() fails, leading to potential resource exhaustion.

Vulnerability

In the Linux kernel's crypto subsystem, the ccree driver contains a memory leak in the cc_mac_digest() function. When cc_map_hash_request_final() fails, the function does not call cc_unmap_result(), leaving allocated memory unreleased. This affects versions prior to the fix commit [1].

Exploitation

An attacker would need to trigger a failure in cc_map_hash_request_final() within the cc_mac_digest() code path. This could be achieved by sending crafted cryptographic requests that cause the mapping operation to fail, possibly through resource exhaustion or invalid parameters. No special privileges are required if the attacker can submit crypto operations to the kernel.

Impact

Successful exploitation results in a memory leak, which over time can lead to resource exhaustion and denial of service (DoS). The leak is local to the kernel memory space and does not directly allow privilege escalation or data disclosure.

Mitigation

The fix was applied in the Linux kernel stable tree via commit [1]. Users should update to a kernel version containing this commit. No workaround is available other than applying the patch.

References

Making sure you're not a bot!

AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

Ubuntu/Linux Kernelllm-fuzzy

Patches

3061c9bfb3f5

crypto: ccree - fix a memory leak in cc_mac_digest()

https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitHaoxiang LiMar 30, 2026Fixed in 6.6.140via kernel-cna

commit

1 file changed · +1 −1

drivers/crypto/ccree/cc_hash.c+1 −1 modified

diff --git a/drivers/crypto/ccree/cc_hash.c b/drivers/crypto/ccree/cc_hash.c
index f418162932fe39..ef9bde93a695c9 100644
--- a/drivers/crypto/ccree/cc_hash.c
+++ b/drivers/crypto/ccree/cc_hash.c
@@ -1448,6 +1448,7 @@ static int cc_mac_digest(struct ahash_request *req)
 	if (cc_map_hash_request_final(ctx->drvdata, state, req->src,
 				      req->nbytes, 1, flags)) {
 		dev_err(dev, "map_ahash_request_final() failed\n");
+		cc_unmap_result(dev, state, digestsize, req->result);
 		cc_unmap_req(dev, state, ctx);
 		return -ENOMEM;
 	}
-- 
cgit 1.3-korg

22f1dd4ca3bf

crypto: ccree - fix a memory leak in cc_mac_digest()

https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitHaoxiang LiMar 30, 2026Fixed in 6.12.86via kernel-cna

commit

1 file changed · +1 −1

drivers/crypto/ccree/cc_hash.c+1 −1 modified

diff --git a/drivers/crypto/ccree/cc_hash.c b/drivers/crypto/ccree/cc_hash.c
index f418162932fe39..ef9bde93a695c9 100644
--- a/drivers/crypto/ccree/cc_hash.c
+++ b/drivers/crypto/ccree/cc_hash.c
@@ -1448,6 +1448,7 @@ static int cc_mac_digest(struct ahash_request *req)
 	if (cc_map_hash_request_final(ctx->drvdata, state, req->src,
 				      req->nbytes, 1, flags)) {
 		dev_err(dev, "map_ahash_request_final() failed\n");
+		cc_unmap_result(dev, state, digestsize, req->result);
 		cc_unmap_req(dev, state, ctx);
 		return -ENOMEM;
 	}
-- 
cgit 1.3-korg

910f335786a0

crypto: ccree - fix a memory leak in cc_mac_digest()

https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitHaoxiang LiMar 30, 2026Fixed in 6.18.27via kernel-cna

commit

1 file changed · +1 −1

drivers/crypto/ccree/cc_hash.c+1 −1 modified

diff --git a/drivers/crypto/ccree/cc_hash.c b/drivers/crypto/ccree/cc_hash.c
index c6d085c8ff797e..73179bf725a712 100644
--- a/drivers/crypto/ccree/cc_hash.c
+++ b/drivers/crypto/ccree/cc_hash.c
@@ -1448,6 +1448,7 @@ static int cc_mac_digest(struct ahash_request *req)
 	if (cc_map_hash_request_final(ctx->drvdata, state, req->src,
 				      req->nbytes, 1, flags)) {
 		dev_err(dev, "map_ahash_request_final() failed\n");
+		cc_unmap_result(dev, state, digestsize, req->result);
 		cc_unmap_req(dev, state, ctx);
 		return -ENOMEM;
 	}
-- 
cgit 1.3-korg

502440c235fe

crypto: ccree - fix a memory leak in cc_mac_digest()

https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitHaoxiang LiMar 30, 2026Fixed in 7.0.4via kernel-cna

commit

1 file changed · +1 −1

drivers/crypto/ccree/cc_hash.c+1 −1 modified

diff --git a/drivers/crypto/ccree/cc_hash.c b/drivers/crypto/ccree/cc_hash.c
index c6d085c8ff797e..73179bf725a712 100644
--- a/drivers/crypto/ccree/cc_hash.c
+++ b/drivers/crypto/ccree/cc_hash.c
@@ -1448,6 +1448,7 @@ static int cc_mac_digest(struct ahash_request *req)
 	if (cc_map_hash_request_final(ctx->drvdata, state, req->src,
 				      req->nbytes, 1, flags)) {
 		dev_err(dev, "map_ahash_request_final() failed\n");
+		cc_unmap_result(dev, state, digestsize, req->result);
 		cc_unmap_req(dev, state, ctx);
 		return -ENOMEM;
 	}
-- 
cgit 1.3-korg

02c64052fad0

crypto: ccree - fix a memory leak in cc_mac_digest()

https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitHaoxiang LiMar 30, 2026Fixed in 7.1-rc1via kernel-cna

commit

1 file changed · +1 −1

drivers/crypto/ccree/cc_hash.c+1 −1 modified

diff --git a/drivers/crypto/ccree/cc_hash.c b/drivers/crypto/ccree/cc_hash.c
index c6d085c8ff797e..73179bf725a712 100644
--- a/drivers/crypto/ccree/cc_hash.c
+++ b/drivers/crypto/ccree/cc_hash.c
@@ -1448,6 +1448,7 @@ static int cc_mac_digest(struct ahash_request *req)
 	if (cc_map_hash_request_final(ctx->drvdata, state, req->src,
 				      req->nbytes, 1, flags)) {
 		dev_err(dev, "map_ahash_request_final() failed\n");
+		cc_unmap_result(dev, state, digestsize, req->result);
 		cc_unmap_req(dev, state, ctx);
 		return -ENOMEM;
 	}
-- 
cgit 1.3-korg

22f1dd4ca3bf

crypto: ccree - fix a memory leak in cc_mac_digest()

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.gitHaoxiang LiMar 30, 2026via nvd-ref

commit

1 file changed · +1 −1

drivers/crypto/ccree/cc_hash.c+1 −1 modified

diff --git a/drivers/crypto/ccree/cc_hash.c b/drivers/crypto/ccree/cc_hash.c
index f418162932fe39..ef9bde93a695c9 100644
--- a/drivers/crypto/ccree/cc_hash.c
+++ b/drivers/crypto/ccree/cc_hash.c
@@ -1448,6 +1448,7 @@ static int cc_mac_digest(struct ahash_request *req)
 	if (cc_map_hash_request_final(ctx->drvdata, state, req->src,
 				      req->nbytes, 1, flags)) {
 		dev_err(dev, "map_ahash_request_final() failed\n");
+		cc_unmap_result(dev, state, digestsize, req->result);
 		cc_unmap_req(dev, state, ctx);
 		return -ENOMEM;
 	}
-- 
cgit 1.3-korg

02c64052fad0

crypto: ccree - fix a memory leak in cc_mac_digest()

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.gitHaoxiang LiMar 30, 2026via nvd-ref

commit

1 file changed · +1 −1

drivers/crypto/ccree/cc_hash.c+1 −1 modified

diff --git a/drivers/crypto/ccree/cc_hash.c b/drivers/crypto/ccree/cc_hash.c
index c6d085c8ff797e..73179bf725a712 100644
--- a/drivers/crypto/ccree/cc_hash.c
+++ b/drivers/crypto/ccree/cc_hash.c
@@ -1448,6 +1448,7 @@ static int cc_mac_digest(struct ahash_request *req)
 	if (cc_map_hash_request_final(ctx->drvdata, state, req->src,
 				      req->nbytes, 1, flags)) {
 		dev_err(dev, "map_ahash_request_final() failed\n");
+		cc_unmap_result(dev, state, digestsize, req->result);
 		cc_unmap_req(dev, state, ctx);
 		return -ENOMEM;
 	}
-- 
cgit 1.3-korg

910f335786a0

crypto: ccree - fix a memory leak in cc_mac_digest()

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.gitHaoxiang LiMar 30, 2026via nvd-ref

commit

1 file changed · +1 −1

drivers/crypto/ccree/cc_hash.c+1 −1 modified

diff --git a/drivers/crypto/ccree/cc_hash.c b/drivers/crypto/ccree/cc_hash.c
index c6d085c8ff797e..73179bf725a712 100644
--- a/drivers/crypto/ccree/cc_hash.c
+++ b/drivers/crypto/ccree/cc_hash.c
@@ -1448,6 +1448,7 @@ static int cc_mac_digest(struct ahash_request *req)
 	if (cc_map_hash_request_final(ctx->drvdata, state, req->src,
 				      req->nbytes, 1, flags)) {
 		dev_err(dev, "map_ahash_request_final() failed\n");
+		cc_unmap_result(dev, state, digestsize, req->result);
 		cc_unmap_req(dev, state, ctx);
 		return -ENOMEM;
 	}
-- 
cgit 1.3-korg

502440c235fe

crypto: ccree - fix a memory leak in cc_mac_digest()

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.gitHaoxiang LiMar 30, 2026via nvd-ref

commit

1 file changed · +1 −1

drivers/crypto/ccree/cc_hash.c+1 −1 modified

diff --git a/drivers/crypto/ccree/cc_hash.c b/drivers/crypto/ccree/cc_hash.c
index c6d085c8ff797e..73179bf725a712 100644
--- a/drivers/crypto/ccree/cc_hash.c
+++ b/drivers/crypto/ccree/cc_hash.c
@@ -1448,6 +1448,7 @@ static int cc_mac_digest(struct ahash_request *req)
 	if (cc_map_hash_request_final(ctx->drvdata, state, req->src,
 				      req->nbytes, 1, flags)) {
 		dev_err(dev, "map_ahash_request_final() failed\n");
+		cc_unmap_result(dev, state, digestsize, req->result);
 		cc_unmap_req(dev, state, ctx);
 		return -ENOMEM;
 	}
-- 
cgit 1.3-korg

3061c9bfb3f5

crypto: ccree - fix a memory leak in cc_mac_digest()

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.gitHaoxiang LiMar 30, 2026via nvd-ref

commit

1 file changed · +1 −1

drivers/crypto/ccree/cc_hash.c+1 −1 modified

diff --git a/drivers/crypto/ccree/cc_hash.c b/drivers/crypto/ccree/cc_hash.c
index f418162932fe39..ef9bde93a695c9 100644
--- a/drivers/crypto/ccree/cc_hash.c
+++ b/drivers/crypto/ccree/cc_hash.c
@@ -1448,6 +1448,7 @@ static int cc_mac_digest(struct ahash_request *req)
 	if (cc_map_hash_request_final(ctx->drvdata, state, req->src,
 				      req->nbytes, 1, flags)) {
 		dev_err(dev, "map_ahash_request_final() failed\n");
+		cc_unmap_result(dev, state, digestsize, req->result);
 		cc_unmap_req(dev, state, ctx);
 		return -ENOMEM;
 	}
-- 
cgit 1.3-korg

Vulnerability mechanics

Root cause

"Missing cleanup call `cc_unmap_result()` in the error path of `cc_mac_digest()` when `cc_map_hash_request_final()` fails, causing a DMA mapping leak."

Attack vector

An attacker triggers the bug by submitting an ahash request that causes `cc_map_hash_request_final()` to fail inside `cc_mac_digest()`. The function is in the crypto driver path reachable from user-space through the kernel's crypto API (e.g., AF_ALG or cryptodev). When the mapping fails, the error path calls `cc_unmap_req()` but omits `cc_unmap_result()`, leaving the DMA mapping for `req->result` (the digest output buffer) dangling. Repeated triggering exhausts DMA-mapped memory, leading to denial of service.

Affected code

The bug is in `drivers/crypto/ccree/cc_hash.c` in the function `cc_mac_digest()`. At line 1448, when `cc_map_hash_request_final()` fails, the error path calls `cc_unmap_req()` but was missing a call to `cc_unmap_result()` before returning `-ENOMEM`.

What the fix does

The patch adds a single call to `cc_unmap_result(dev, state, digestsize, req->result)` immediately before the existing `cc_unmap_req()` call in the error path of `cc_mac_digest()` [patch_id=2660676]. This ensures that the DMA mapping for the digest result buffer (`req->result`) is properly unmapped when `cc_map_hash_request_final()` fails, preventing the memory leak. The same one-line fix is backported across multiple stable kernel versions [patch_id=2660677, patch_id=2660678, patch_id=2660679, patch_id=2660680, patch_id=2660681, patch_id=2660682, patch_id=2660683, patch_id=2660684, patch_id=2660685].

Preconditions

configThe kernel must have the ccree crypto driver built or loaded as a module.
authAn attacker must be able to submit ahash requests through the kernel crypto API (e.g., via AF_ALG socket or cryptodev).
inputThe mapping operation cc_map_hash_request_final() must fail (e.g., due to memory pressure or invalid scatter-gather list).

Generated on May 27, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000