Unrated severityNVD Advisory· Published May 27, 2026· Updated May 27, 2026

CVE-2026-46019

Description

In the Linux kernel, the following vulnerability has been resolved:

crypto: atmel-aes - Fix 3-page memory leak in atmel_aes_buff_cleanup

atmel_aes_buff_init() allocates 4 pages using __get_free_pages() with ATMEL_AES_BUFFER_ORDER, but atmel_aes_buff_cleanup() frees only the first page using free_page(), leaking the remaining 3 pages. Use free_pages() with ATMEL_AES_BUFFER_ORDER to fix the memory leak.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Memory leak in Linux kernel's atmel-aes driver: buffer cleanup frees only one of four allocated pages, leading to eventual memory exhaustion.

Vulnerability

In the Linux kernel's atmel-aes driver, atmel_aes_buff_init() allocates 4 pages using __get_free_pages() with ATMEL_AES_BUFFER_ORDER, but atmel_aes_buff_cleanup() frees only the first page using free_page(), leaking the remaining 3 pages. This affects the crypto subsystem for Atmel AES hardware. The issue exists in kernel versions prior to the inclusion of commit b63f1e2f0e319ad3fe4a58eb3db4fd50cc98baca [1].

Exploitation

An attacker needs to trigger repeated allocation and cleanup of the AES buffer. This can be achieved by continuously using the Atmel AES crypto operations, which requires the ability to load and interact with the atmel-aes driver. Local access or privileged container access is necessary to invoke these operations [1].

Impact

Repeated exploitation leaks three pages of memory per cycle, leading to system memory exhaustion over time and potentially causing a denial of service (DoS). No data confidentiality, integrity, or privilege escalation impact has been reported [1].

Mitigation

The fix is included in Linux kernel stable commit b63f1e2f0e319ad3fe4a58eb3db4fd50cc98baca [1]. Users should update to a kernel version containing this commit. No workarounds are documented in the available reference.

References

Making sure you're not a bot!

AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

Linux/atmel-aesllm-create
Linux/Kernelllm-fuzzy

Patches

b63f1e2f0e31

crypto: atmel-aes - Fix 3-page memory leak in atmel_aes_buff_cleanup

https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitThorsten BlumMar 11, 2026Fixed in 6.6.140via kernel-cna

commit

1 file changed · +1 −2

drivers/crypto/atmel-aes.c+1 −2 modified

diff --git a/drivers/crypto/atmel-aes.c b/drivers/crypto/atmel-aes.c
index 55b5f577b01c84..97fcde0126766e 100644
--- a/drivers/crypto/atmel-aes.c
+++ b/drivers/crypto/atmel-aes.c
@@ -2323,7 +2323,7 @@ static int atmel_aes_buff_init(struct atmel_aes_dev *dd)
 
 static void atmel_aes_buff_cleanup(struct atmel_aes_dev *dd)
 {
-	free_page((unsigned long)dd->buf);
+	free_pages((unsigned long)dd->buf, ATMEL_AES_BUFFER_ORDER);
 }
 
 static int atmel_aes_dma_init(struct atmel_aes_dev *dd)
-- 
cgit 1.3-korg

61516b4a5b26

crypto: atmel-aes - Fix 3-page memory leak in atmel_aes_buff_cleanup

https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitThorsten BlumMar 11, 2026Fixed in 6.18.27via kernel-cna

commit

1 file changed · +1 −2

drivers/crypto/atmel-aes.c+1 −2 modified

diff --git a/drivers/crypto/atmel-aes.c b/drivers/crypto/atmel-aes.c
index 3a2684208dda9e..5a6d64be818586 100644
--- a/drivers/crypto/atmel-aes.c
+++ b/drivers/crypto/atmel-aes.c
@@ -2131,7 +2131,7 @@ static int atmel_aes_buff_init(struct atmel_aes_dev *dd)
 
 static void atmel_aes_buff_cleanup(struct atmel_aes_dev *dd)
 {
-	free_page((unsigned long)dd->buf);
+	free_pages((unsigned long)dd->buf, ATMEL_AES_BUFFER_ORDER);
 }
 
 static int atmel_aes_dma_init(struct atmel_aes_dev *dd)
-- 
cgit 1.3-korg

230ad8a78fe6

crypto: atmel-aes - Fix 3-page memory leak in atmel_aes_buff_cleanup

https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitThorsten BlumMar 11, 2026Fixed in 7.0.4via kernel-cna

commit

1 file changed · +1 −2

drivers/crypto/atmel-aes.c+1 −2 modified

diff --git a/drivers/crypto/atmel-aes.c b/drivers/crypto/atmel-aes.c
index bc0c40f10944ca..9b0cb97055dc5c 100644
--- a/drivers/crypto/atmel-aes.c
+++ b/drivers/crypto/atmel-aes.c
@@ -2131,7 +2131,7 @@ static int atmel_aes_buff_init(struct atmel_aes_dev *dd)
 
 static void atmel_aes_buff_cleanup(struct atmel_aes_dev *dd)
 {
-	free_page((unsigned long)dd->buf);
+	free_pages((unsigned long)dd->buf, ATMEL_AES_BUFFER_ORDER);
 }
 
 static int atmel_aes_dma_init(struct atmel_aes_dev *dd)
-- 
cgit 1.3-korg

3fcfff4ed35f

crypto: atmel-aes - Fix 3-page memory leak in atmel_aes_buff_cleanup

https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitThorsten BlumMar 11, 2026Fixed in 7.1-rc1via kernel-cna

commit

1 file changed · +1 −2

drivers/crypto/atmel-aes.c+1 −2 modified

diff --git a/drivers/crypto/atmel-aes.c b/drivers/crypto/atmel-aes.c
index bc0c40f10944ca..9b0cb97055dc5c 100644
--- a/drivers/crypto/atmel-aes.c
+++ b/drivers/crypto/atmel-aes.c
@@ -2131,7 +2131,7 @@ static int atmel_aes_buff_init(struct atmel_aes_dev *dd)
 
 static void atmel_aes_buff_cleanup(struct atmel_aes_dev *dd)
 {
-	free_page((unsigned long)dd->buf);
+	free_pages((unsigned long)dd->buf, ATMEL_AES_BUFFER_ORDER);
 }
 
 static int atmel_aes_dma_init(struct atmel_aes_dev *dd)
-- 
cgit 1.3-korg

65b3589d39d0

crypto: atmel-aes - Fix 3-page memory leak in atmel_aes_buff_cleanup

https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitThorsten BlumMar 11, 2026Fixed in 6.12.86via kernel-cna

commit

1 file changed · +1 −2

drivers/crypto/atmel-aes.c+1 −2 modified

diff --git a/drivers/crypto/atmel-aes.c b/drivers/crypto/atmel-aes.c
index 0dd90785db9a86..5f53936eb905df 100644
--- a/drivers/crypto/atmel-aes.c
+++ b/drivers/crypto/atmel-aes.c
@@ -2130,7 +2130,7 @@ static int atmel_aes_buff_init(struct atmel_aes_dev *dd)
 
 static void atmel_aes_buff_cleanup(struct atmel_aes_dev *dd)
 {
-	free_page((unsigned long)dd->buf);
+	free_pages((unsigned long)dd->buf, ATMEL_AES_BUFFER_ORDER);
 }
 
 static int atmel_aes_dma_init(struct atmel_aes_dev *dd)
-- 
cgit 1.3-korg

61516b4a5b26

crypto: atmel-aes - Fix 3-page memory leak in atmel_aes_buff_cleanup

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.gitThorsten BlumMar 11, 2026via nvd-ref

commit

1 file changed · +1 −2

drivers/crypto/atmel-aes.c+1 −2 modified

diff --git a/drivers/crypto/atmel-aes.c b/drivers/crypto/atmel-aes.c
index 3a2684208dda9e..5a6d64be818586 100644
--- a/drivers/crypto/atmel-aes.c
+++ b/drivers/crypto/atmel-aes.c
@@ -2131,7 +2131,7 @@ static int atmel_aes_buff_init(struct atmel_aes_dev *dd)
 
 static void atmel_aes_buff_cleanup(struct atmel_aes_dev *dd)
 {
-	free_page((unsigned long)dd->buf);
+	free_pages((unsigned long)dd->buf, ATMEL_AES_BUFFER_ORDER);
 }
 
 static int atmel_aes_dma_init(struct atmel_aes_dev *dd)
-- 
cgit 1.3-korg

230ad8a78fe6

crypto: atmel-aes - Fix 3-page memory leak in atmel_aes_buff_cleanup

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.gitThorsten BlumMar 11, 2026via nvd-ref

commit

1 file changed · +1 −2

drivers/crypto/atmel-aes.c+1 −2 modified

diff --git a/drivers/crypto/atmel-aes.c b/drivers/crypto/atmel-aes.c
index bc0c40f10944ca..9b0cb97055dc5c 100644
--- a/drivers/crypto/atmel-aes.c
+++ b/drivers/crypto/atmel-aes.c
@@ -2131,7 +2131,7 @@ static int atmel_aes_buff_init(struct atmel_aes_dev *dd)
 
 static void atmel_aes_buff_cleanup(struct atmel_aes_dev *dd)
 {
-	free_page((unsigned long)dd->buf);
+	free_pages((unsigned long)dd->buf, ATMEL_AES_BUFFER_ORDER);
 }
 
 static int atmel_aes_dma_init(struct atmel_aes_dev *dd)
-- 
cgit 1.3-korg

3fcfff4ed35f

crypto: atmel-aes - Fix 3-page memory leak in atmel_aes_buff_cleanup

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.gitThorsten BlumMar 11, 2026via nvd-ref

commit

1 file changed · +1 −2

drivers/crypto/atmel-aes.c+1 −2 modified

diff --git a/drivers/crypto/atmel-aes.c b/drivers/crypto/atmel-aes.c
index bc0c40f10944ca..9b0cb97055dc5c 100644
--- a/drivers/crypto/atmel-aes.c
+++ b/drivers/crypto/atmel-aes.c
@@ -2131,7 +2131,7 @@ static int atmel_aes_buff_init(struct atmel_aes_dev *dd)
 
 static void atmel_aes_buff_cleanup(struct atmel_aes_dev *dd)
 {
-	free_page((unsigned long)dd->buf);
+	free_pages((unsigned long)dd->buf, ATMEL_AES_BUFFER_ORDER);
 }
 
 static int atmel_aes_dma_init(struct atmel_aes_dev *dd)
-- 
cgit 1.3-korg

65b3589d39d0

crypto: atmel-aes - Fix 3-page memory leak in atmel_aes_buff_cleanup

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.gitThorsten BlumMar 11, 2026via nvd-ref

commit

1 file changed · +1 −2

drivers/crypto/atmel-aes.c+1 −2 modified

diff --git a/drivers/crypto/atmel-aes.c b/drivers/crypto/atmel-aes.c
index 0dd90785db9a86..5f53936eb905df 100644
--- a/drivers/crypto/atmel-aes.c
+++ b/drivers/crypto/atmel-aes.c
@@ -2130,7 +2130,7 @@ static int atmel_aes_buff_init(struct atmel_aes_dev *dd)
 
 static void atmel_aes_buff_cleanup(struct atmel_aes_dev *dd)
 {
-	free_page((unsigned long)dd->buf);
+	free_pages((unsigned long)dd->buf, ATMEL_AES_BUFFER_ORDER);
 }
 
 static int atmel_aes_dma_init(struct atmel_aes_dev *dd)
-- 
cgit 1.3-korg

b63f1e2f0e31

crypto: atmel-aes - Fix 3-page memory leak in atmel_aes_buff_cleanup

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.gitThorsten BlumMar 11, 2026via nvd-ref

commit

1 file changed · +1 −2

drivers/crypto/atmel-aes.c+1 −2 modified

diff --git a/drivers/crypto/atmel-aes.c b/drivers/crypto/atmel-aes.c
index 55b5f577b01c84..97fcde0126766e 100644
--- a/drivers/crypto/atmel-aes.c
+++ b/drivers/crypto/atmel-aes.c
@@ -2323,7 +2323,7 @@ static int atmel_aes_buff_init(struct atmel_aes_dev *dd)
 
 static void atmel_aes_buff_cleanup(struct atmel_aes_dev *dd)
 {
-	free_page((unsigned long)dd->buf);
+	free_pages((unsigned long)dd->buf, ATMEL_AES_BUFFER_ORDER);
 }
 
 static int atmel_aes_dma_init(struct atmel_aes_dev *dd)
-- 
cgit 1.3-korg

Vulnerability mechanics

Root cause

"Mismatched allocation/free: atmel_aes_buff_init() allocates 4 pages via __get_free_pages() with ATMEL_AES_BUFFER_ORDER, but atmel_aes_buff_cleanup() calls free_page() which frees only 1 page, leaking the remaining 3 pages."

Attack vector

This is a memory leak bug in the Atmel AES crypto driver, not a remotely triggerable vulnerability. The leak occurs when the driver's buffer cleanup path is invoked during normal device teardown or error unwinding. An attacker with local access who can repeatedly load/unload the driver or trigger AES crypto operations that cause buffer allocation followed by cleanup could exhaust system memory over time, leading to denial of service. No special network path or payload is required beyond the ability to interact with the Atmel AES hardware through the kernel crypto API.

Affected code

The bug is in drivers/crypto/atmel-aes.c in the function atmel_aes_buff_cleanup(). The allocation in atmel_aes_buff_init() uses __get_free_pages() with ATMEL_AES_BUFFER_ORDER (which allocates 4 pages), but the cleanup function incorrectly called free_page() instead of free_pages() with the matching order [patch_id=2660397].

What the fix does

The patch changes the single call to free_page() to free_pages() while passing ATMEL_AES_BUFFER_ORDER as the order argument [patch_id=2660397]. This ensures that all 4 pages allocated by __get_free_pages() in atmel_aes_buff_init() are properly freed, matching the allocation order. The fix is a one-line change in drivers/crypto/atmel-aes.c in the atmel_aes_buff_cleanup() function.

Preconditions

authLocal access to trigger AES crypto operations or device load/unload cycles on a system with Atmel AES hardware.

Generated on May 27, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000