SB2026040646 - Missing Release of Resource after Effective Lifetime in Linux kernel crypto driver
Published: April 6, 2026
Security Bulletin ID
SB2026040646
Severity
Low
Patch available
YES
Number of vulnerabilities
1
Exploitation vector
Local access
Highest impact
Denial of service
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 1 security vulnerability.
1) Missing Release of Resource after Effective Lifetime (CVE-ID: CVE-2026-31391)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper resource management in the atmel-sha204a crypto driver when memory allocation fails during read handling. A local user can trigger memory allocation failure conditions to cause a denial of service.
The issue can block future reads because tfm_count is not decremented after an out-of-memory condition.
Remediation
Install update from vendor's website.
References
- https://git.kernel.org/stable/c/1ab70c260cf16f931a728b2cb63fff5f38c814d8
- https://git.kernel.org/stable/c/2bfc83cee05f8b9604502df27d94e8e2b4a3dbf1
- https://git.kernel.org/stable/c/66ee9c1c3575b5d6afc340faca00fd40ed5b7ad9
- https://git.kernel.org/stable/c/6f502049a96b368ea6646c49d9520d6f69a101fa
- https://git.kernel.org/stable/c/d240b079a37e90af03fd7dfec94930eb6c83936e
- https://git.kernel.org/stable/c/fd262dc6d758232511127372eba866b7600739ba