CVE-2026-46033
Description
In the Linux kernel, the following vulnerability has been resolved:
crypto: authencesn - reject short ahash digests during instance creation
authencesn requires either a zero authsize or an authsize of at least 4 bytes because the ESN encrypt/decrypt paths always move 4 bytes of high-order sequence number data at the end of the authenticated data.
While crypto_authenc_esn_setauthsize() already rejects explicit non-zero authsizes in the range 1..3, crypto_authenc_esn_create() still copied auth->digestsize into inst->alg.maxauthsize without validating it. The AEAD core then initialized the tfm's default authsize from that value.
As a result, selecting an ahash with digest size 1..3, such as cbcmac(cipher_null), exposed authencesn instances whose default authsize was invalid even though setauthsize() would have rejected the same value. AF_ALG could then trigger the ESN tail handling with a too-short tag and hit an out-of-bounds access.
Reject authencesn instances whose ahash digest size is in the invalid non-zero range 1..3 so that no tfm can inherit an unsupported default authsize.
Patches
10b69933e97efecrypto: authencesn - reject short ahash digests during instance creation
1 file changed · +5 −1
crypto/authencesn.c+5 −1 modifieddiff --git a/crypto/authencesn.c b/crypto/authencesn.c index eeda044a0f5fb5..55833cfea09ac9 100644 --- a/crypto/authencesn.c +++ b/crypto/authencesn.c @@ -397,6 +397,11 @@ static int crypto_authenc_esn_create(struct crypto_template *tmpl, auth = crypto_spawn_ahash_alg(&ctx->auth); auth_base = &auth->base; + if (auth->digestsize > 0 && auth->digestsize < 4) { + err = -EINVAL; + goto err_free_inst; + } + err = crypto_grab_skcipher(&ctx->enc, aead_crypto_instance(inst), crypto_attr_alg_name(tb[2]), 0, mask); if (err) -- cgit 1.3-korg
67f1f0933cc3crypto: authencesn - reject short ahash digests during instance creation
1 file changed · +5 −1
crypto/authencesn.c+5 −1 modifieddiff --git a/crypto/authencesn.c b/crypto/authencesn.c index c01cc3087919ca..ac9eab13a3cb36 100644 --- a/crypto/authencesn.c +++ b/crypto/authencesn.c @@ -390,6 +390,11 @@ static int crypto_authenc_esn_create(struct crypto_template *tmpl, auth = crypto_spawn_ahash_alg(&ctx->auth); auth_base = &auth->base; + if (auth->digestsize > 0 && auth->digestsize < 4) { + err = -EINVAL; + goto err_free_inst; + } + err = crypto_grab_skcipher(&ctx->enc, aead_crypto_instance(inst), crypto_attr_alg_name(tb[2]), 0, mask); if (err) -- cgit 1.3-korg
9aff81e8217ecrypto: authencesn - reject short ahash digests during instance creation
1 file changed · +5 −1
crypto/authencesn.c+5 −1 modifieddiff --git a/crypto/authencesn.c b/crypto/authencesn.c index af3d584e584fbc..522df41365d8f9 100644 --- a/crypto/authencesn.c +++ b/crypto/authencesn.c @@ -390,6 +390,11 @@ static int crypto_authenc_esn_create(struct crypto_template *tmpl, auth = crypto_spawn_ahash_alg(&ctx->auth); auth_base = &auth->base; + if (auth->digestsize > 0 && auth->digestsize < 4) { + err = -EINVAL; + goto err_free_inst; + } + err = crypto_grab_skcipher(&ctx->enc, aead_crypto_instance(inst), crypto_attr_alg_name(tb[2]), 0, mask); if (err) -- cgit 1.3-korg
5db6ef984771crypto: authencesn - reject short ahash digests during instance creation
1 file changed · +5 −1
crypto/authencesn.c+5 −1 modifieddiff --git a/crypto/authencesn.c b/crypto/authencesn.c index af3d584e584fbc..522df41365d8f9 100644 --- a/crypto/authencesn.c +++ b/crypto/authencesn.c @@ -390,6 +390,11 @@ static int crypto_authenc_esn_create(struct crypto_template *tmpl, auth = crypto_spawn_ahash_alg(&ctx->auth); auth_base = &auth->base; + if (auth->digestsize > 0 && auth->digestsize < 4) { + err = -EINVAL; + goto err_free_inst; + } + err = crypto_grab_skcipher(&ctx->enc, aead_crypto_instance(inst), crypto_attr_alg_name(tb[2]), 0, mask); if (err) -- cgit 1.3-korg
b42821c15445crypto: authencesn - reject short ahash digests during instance creation
1 file changed · +5 −1
crypto/authencesn.c+5 −1 modifieddiff --git a/crypto/authencesn.c b/crypto/authencesn.c index af3d584e584fbc..522df41365d8f9 100644 --- a/crypto/authencesn.c +++ b/crypto/authencesn.c @@ -390,6 +390,11 @@ static int crypto_authenc_esn_create(struct crypto_template *tmpl, auth = crypto_spawn_ahash_alg(&ctx->auth); auth_base = &auth->base; + if (auth->digestsize > 0 && auth->digestsize < 4) { + err = -EINVAL; + goto err_free_inst; + } + err = crypto_grab_skcipher(&ctx->enc, aead_crypto_instance(inst), crypto_attr_alg_name(tb[2]), 0, mask); if (err) -- cgit 1.3-korg
b69933e97efecrypto: authencesn - reject short ahash digests during instance creation
1 file changed · +5 −1
crypto/authencesn.c+5 −1 modifieddiff --git a/crypto/authencesn.c b/crypto/authencesn.c index eeda044a0f5fb5..55833cfea09ac9 100644 --- a/crypto/authencesn.c +++ b/crypto/authencesn.c @@ -397,6 +397,11 @@ static int crypto_authenc_esn_create(struct crypto_template *tmpl, auth = crypto_spawn_ahash_alg(&ctx->auth); auth_base = &auth->base; + if (auth->digestsize > 0 && auth->digestsize < 4) { + err = -EINVAL; + goto err_free_inst; + } + err = crypto_grab_skcipher(&ctx->enc, aead_crypto_instance(inst), crypto_attr_alg_name(tb[2]), 0, mask); if (err) -- cgit 1.3-korg
5db6ef984771crypto: authencesn - reject short ahash digests during instance creation
1 file changed · +5 −1
crypto/authencesn.c+5 −1 modifieddiff --git a/crypto/authencesn.c b/crypto/authencesn.c index af3d584e584fbc..522df41365d8f9 100644 --- a/crypto/authencesn.c +++ b/crypto/authencesn.c @@ -390,6 +390,11 @@ static int crypto_authenc_esn_create(struct crypto_template *tmpl, auth = crypto_spawn_ahash_alg(&ctx->auth); auth_base = &auth->base; + if (auth->digestsize > 0 && auth->digestsize < 4) { + err = -EINVAL; + goto err_free_inst; + } + err = crypto_grab_skcipher(&ctx->enc, aead_crypto_instance(inst), crypto_attr_alg_name(tb[2]), 0, mask); if (err) -- cgit 1.3-korg
67f1f0933cc3crypto: authencesn - reject short ahash digests during instance creation
1 file changed · +5 −1
crypto/authencesn.c+5 −1 modifieddiff --git a/crypto/authencesn.c b/crypto/authencesn.c index c01cc3087919ca..ac9eab13a3cb36 100644 --- a/crypto/authencesn.c +++ b/crypto/authencesn.c @@ -390,6 +390,11 @@ static int crypto_authenc_esn_create(struct crypto_template *tmpl, auth = crypto_spawn_ahash_alg(&ctx->auth); auth_base = &auth->base; + if (auth->digestsize > 0 && auth->digestsize < 4) { + err = -EINVAL; + goto err_free_inst; + } + err = crypto_grab_skcipher(&ctx->enc, aead_crypto_instance(inst), crypto_attr_alg_name(tb[2]), 0, mask); if (err) -- cgit 1.3-korg
9aff81e8217ecrypto: authencesn - reject short ahash digests during instance creation
1 file changed · +5 −1
crypto/authencesn.c+5 −1 modifieddiff --git a/crypto/authencesn.c b/crypto/authencesn.c index af3d584e584fbc..522df41365d8f9 100644 --- a/crypto/authencesn.c +++ b/crypto/authencesn.c @@ -390,6 +390,11 @@ static int crypto_authenc_esn_create(struct crypto_template *tmpl, auth = crypto_spawn_ahash_alg(&ctx->auth); auth_base = &auth->base; + if (auth->digestsize > 0 && auth->digestsize < 4) { + err = -EINVAL; + goto err_free_inst; + } + err = crypto_grab_skcipher(&ctx->enc, aead_crypto_instance(inst), crypto_attr_alg_name(tb[2]), 0, mask); if (err) -- cgit 1.3-korg
b42821c15445crypto: authencesn - reject short ahash digests during instance creation
1 file changed · +5 −1
crypto/authencesn.c+5 −1 modifieddiff --git a/crypto/authencesn.c b/crypto/authencesn.c index af3d584e584fbc..522df41365d8f9 100644 --- a/crypto/authencesn.c +++ b/crypto/authencesn.c @@ -390,6 +390,11 @@ static int crypto_authenc_esn_create(struct crypto_template *tmpl, auth = crypto_spawn_ahash_alg(&ctx->auth); auth_base = &auth->base; + if (auth->digestsize > 0 && auth->digestsize < 4) { + err = -EINVAL; + goto err_free_inst; + } + err = crypto_grab_skcipher(&ctx->enc, aead_crypto_instance(inst), crypto_attr_alg_name(tb[2]), 0, mask); if (err) -- cgit 1.3-korg
Vulnerability mechanics
Root cause
"Missing validation of ahash digest size in crypto_authenc_esn_create() allows an unsupported default authsize (1..3) to be set, leading to out-of-bounds access in ESN tail handling."
Attack vector
An attacker can select an ahash with a digest size of 1, 2, or 3 bytes (e.g., `cbcmac(cipher_null)`) when creating an authencesn AEAD instance via `AF_ALG`. Because `crypto_authenc_esn_create()` does not validate the digest size, the AEAD core initializes the tfm's default authsize to this invalid short value. When the ESN encrypt/decrypt paths then move 4 bytes of high-order sequence number data at the end of the authenticated data, the too-short tag causes an out-of-bounds access [patch_id=2660273].
Affected code
The vulnerability is in the `crypto_authenc_esn_create()` function in `crypto/authencesn.c` [patch_id=2660273]. This function copies `auth->digestsize` into `inst->alg.maxauthsize` without validating that the digest size is either zero or at least 4 bytes.
What the fix does
The patch adds a guard in `crypto_authenc_esn_create()` that rejects any ahash whose `digestsize` is in the range 1..3 by returning `-EINVAL` and jumping to `err_free_inst` [patch_id=2660273]. This prevents the creation of authencesn instances with an unsupported default authsize, closing the window where `AF_ALG` could trigger an out-of-bounds access via the ESN tail handling.
Preconditions
- authThe attacker must be able to instantiate an authencesn AEAD algorithm via AF_ALG (requires access to the crypto subsystem, typically root or CAP_NET_ADMIN).
- configAn ahash algorithm with digest size 1, 2, or 3 (e.g., cbcmac(cipher_null)) must be available in the kernel.
- inputThe attacker must supply a crafted payload that triggers the ESN tail handling with the too-short tag.
Generated on May 27, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- git.kernel.org/stable/c/5db6ef9847717329f12c5ea8aba7e9f588a980c0nvd
- git.kernel.org/stable/c/67f1f0933cc3d78dde222842bcad2778ec7a0b88nvd
- git.kernel.org/stable/c/9aff81e8217e9de2929084b03b3c7f81988c112bnvd
- git.kernel.org/stable/c/b42821c15445f93daea3e76ada682b2b7181c476nvd
- git.kernel.org/stable/c/b69933e97efea238ebbfcf70c2b1be1cd03f13e3nvd
News mentions
0No linked articles in our index yet.