CVE-2026-43330

// Vulnerable Logic Simulation (Conceptual) // This is a kernel module snippet demonstrating the trigger condition. #include <linux/module.h> #include <linux/crypto.h> #include <linux/kernel.h> void vulnerable_hmac_key_copy(const u8 *key, unsigned int keylen) { unsigned int aligned_len = ALIGN(keylen, dma_get_cache_alignment()); // Vulnerability: kmemdup reads 'aligned_len' bytes from 'key' (size 'keylen') u8 *buf = kmemdup(key, aligned_len, GFP_KERNEL); if (!buf) return; // ... hash logic ... kfree(buf); } // Fix: Use kmalloc + explicit memcpy with keylen void fixed_hmac_key_copy(const u8 *key, unsigned int keylen) { unsigned int aligned_len = ALIGN(keylen, dma_get_cache_alignment()); u8 *buf = kmalloc(aligned_len, GFP_KERNEL); if (!buf) return; memcpy(buf, key, keylen); // Only copy keylen bytes // ... hash logic ... kfree(buf); }

{"cve": {"id": "CVE-2026-43330", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2026-05-08T14:16:42.650", "lastModified": "2026-05-11T08:16:09.727", "vulnStatus": "Received", "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncrypto: caam - fix overflow on long hmac keys\n\nWhen a key longer than block size is supplied, it is copied and then\nhashed into the real key. The memory allocated for the copy needs to\nbe rounded to DMA cache alignment, as otherwise the hashed key may\ncorrupt neighbouring memory.\n\nThe copying is performed using kmemdup, however this leads to an overflow:\nreading more bytes (aligned_len - keylen) from the keylen source buffer.\nFix this by replacing kmemdup with kmalloc, followed by memcpy."}], "metrics": {"cvssMetricV31": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.8, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 5.9}]}, "references": [{"url": "https://git.kernel.org/stable/c/31022cfde5235c45fa765f0aabeff5f0652852f2", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/80688afb9c35b3934ce2d6be9973758915e2e0ef", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/aa545df011338df13f0833fc1fabcb15c0521959", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/c2fb4984fe09fc176fe4c12d5e3edf626df6511d", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/cebc5ebd958346195b77f42d0cd5141b4e448fae", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}}