#VU124888 Missing Release of Resource after Effective Lifetime in Linux kernel - CVE-2026-31391
Published: April 6, 2026
Vulnerability identifier: #VU124888
Vulnerability risk: Low
CVSSv4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2026-31391
CWE-ID: CWE-772
Exploitation vector: Local access
Exploit availability:
No public exploit available
Vulnerable software:
Linux kernel
Linux kernel
Software vendor:
Linux Foundation
Linux Foundation
Description
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper resource management in the atmel-sha204a crypto driver when memory allocation fails during read handling. A local user can trigger memory allocation failure conditions to cause a denial of service.
The issue can block future reads because tfm_count is not decremented after an out-of-memory condition.
Remediation
Install security update from vendor's repository.
External links
- https://git.kernel.org/stable/c/1ab70c260cf16f931a728b2cb63fff5f38c814d8
- https://git.kernel.org/stable/c/2bfc83cee05f8b9604502df27d94e8e2b4a3dbf1
- https://git.kernel.org/stable/c/66ee9c1c3575b5d6afc340faca00fd40ed5b7ad9
- https://git.kernel.org/stable/c/6f502049a96b368ea6646c49d9520d6f69a101fa
- https://git.kernel.org/stable/c/d240b079a37e90af03fd7dfec94930eb6c83936e
- https://git.kernel.org/stable/c/fd262dc6d758232511127372eba866b7600739ba