SB2026050954 - Sensitive Information in Resource Not Removed Before Reuse in Linux kernel crypto
Published: May 9, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 1 vulnerability.
1) Sensitive Information in Resource Not Removed Before Reuse (CVE-ID: CVE-2026-43336)
CWE-ID: CWE-226 - Sensitive Information in Resource Not Removed Before Reuse
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to disclose sensitive information.
The vulnerability exists due to missing zeroization of sensitive data in the ChaCha implementation in lib/crypto/chacha when processing cryptographic state on the stack. A local user can read residual stack memory to disclose sensitive information.
The permuted state is sufficient to reconstruct the original state, including the key.
Remediation
Install update from vendor's website.
References
- https://git.kernel.org/stable/c/066c760acead1fb743bae294dbd89f479ae43b9b
- https://git.kernel.org/stable/c/1933249263c3a98df79992f61a566476e4163bcc
- https://git.kernel.org/stable/c/1d761e5a7340c46479fb2399598f331e4fe2c633
- https://git.kernel.org/stable/c/91999af43ca2125e3b2c18fcfc02912ada02efc3
- https://git.kernel.org/stable/c/b416a4245f04a450c67a13e6d96056c37c5b33fe
- https://git.kernel.org/stable/c/bd62d9b44464a6c20a34a74068e7a784d0afa04a
- https://git.kernel.org/stable/c/e5046823f8fa3677341b541a25af2fcb99a5b1e0
- https://git.kernel.org/stable/c/e90ee961af515a484f091678ce58a4c3f7b73b02