CVE-2026-46081
Awaiting Analysis Awaiting Analysis - Queue
Memory Corruption in Linux Kernel Crypto API

Publication date: 2026-05-27

Last updated on: 2026-05-30

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: crypto: acomp - fix wrong pointer stored by acomp_save_req() acomp_save_req() stores &req->chain in req->base.data. When acomp_reqchain_done() is invoked on asynchronous completion, it receives &req->chain as the data argument but casts it directly to struct acomp_req. Since data points to the chain member, all subsequent field accesses are at a wrong offset, resulting in memory corruption. The issue occurs when an asynchronous hardware implementation, such as the QAT driver, completes a request that uses the DMA virtual address interface (e.g. acomp_request_set_src_dma()). This combination causes crypto_acomp_compress() to enter the acomp_do_req_chain() path, which sets acomp_reqchain_done() as the completion callback via acomp_save_req(). With KASAN enabled, this manifests as a general protection fault in acomp_reqchain_done(): general protection fault, probably for non-canonical address 0xe000040000000000 KASAN: probably user-memory-access in range [0x0000400000000000-0x0000400000000007] RIP: 0010:acomp_reqchain_done+0x15b/0x4e0 Call Trace: <IRQ> qat_comp_alg_callback+0x5d/0xa0 [intel_qat] adf_ring_response_handler+0x376/0x8b0 [intel_qat] adf_response_handler+0x60/0x170 [intel_qat] tasklet_action_common+0x223/0x820 handle_softirqs+0x1ab/0x640 </IRQ> Fix this by storing the request itself in req->base.data instead of &req->chain, so that acomp_reqchain_done() receives the correct pointer. Simplify acomp_restore_req() accordingly to access req->chain directly.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-27
Last Modified
2026-05-30
Generated
2026-06-16
AI Q&A
2026-05-27
EPSS Evaluated
2026-06-15
NVD
CVE-2026-46081
EUVD
EUVD-2026-32464
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
intel intel_qat *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the Linux kernel's crypto asynchronous compression (acomp) subsystem. Specifically, acomp_save_req() incorrectly stores a pointer to a member of a request structure (&req->chain) in req->base.data instead of storing the pointer to the request itself. Later, when acomp_reqchain_done() is called upon asynchronous completion, it treats this stored pointer as if it points to the entire request structure, but it actually points to a member inside it. This causes subsequent accesses to fields in the structure to be at wrong memory offsets, leading to memory corruption.

The issue arises particularly when using asynchronous hardware implementations like the Intel QAT driver with DMA virtual address interfaces. With Kernel Address Sanitizer (KASAN) enabled, this manifests as a general protection fault due to invalid memory access.

The fix involves storing the pointer to the entire request in req->base.data rather than the pointer to the chain member, ensuring that acomp_reqchain_done() receives the correct pointer and preventing memory corruption.

Impact Analysis

This vulnerability can lead to memory corruption in the Linux kernel when asynchronous crypto compression requests complete. Such memory corruption can cause system instability, crashes, or general protection faults, especially when using hardware accelerators like Intel QAT.

If exploited or triggered, it could potentially lead to denial of service (system crashes) or unpredictable behavior in kernel space, which might affect the reliability and security of systems relying on this crypto functionality.

Mitigation Strategies

The vulnerability is fixed by updating the Linux kernel to a version where acomp_save_req() stores the request itself in req->base.data instead of &req->chain. This ensures that acomp_reqchain_done() receives the correct pointer, preventing memory corruption.

Therefore, the immediate mitigation step is to apply the patch or update the Linux kernel to a version that includes this fix.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-46081. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart