PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-45950 Linux CVE debrief

A memory leak vulnerability exists in the StarFive cryptographic driver within the Linux kernel. The `starfive_aes_aead_do_one_req()` function in the crypto subsystem allocates memory for `rctx->adata` using `kzalloc()` but fails to free this allocation when either `sg_copy_to_buffer()` or `starfive_aes_hw_init()` encounters an error. This leads to a memory leak condition that could potentially degrade system performance over time through memory exhaustion. The vulnerability was identified through prototype static analysis tooling and subsequent code review. The fix ensures consistent cleanup by freeing the `rctx->adata` allocation in all error paths prior to the normal write_adata operations cleanup. The patch has been compile-tested and backported to multiple stable kernel branches.

Vendor
Linux
Product
Unknown
CVSS
Unknown
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-27
Original CVE updated
2026-05-27
Advisory published
2026-05-27
Advisory updated
2026-05-27

Who should care

System administrators managing Linux-based embedded systems, IoT devices, or edge computing platforms utilizing StarFive RISC-V SoCs; kernel maintainers for distributions targeting RISC-V architectures; security teams monitoring memory exhaustion conditions in long-running cryptographic workloads

Technical summary

The vulnerability exists in `drivers/crypto/starfive/starfive-crypto.c` within the AEAD (Authenticated Encryption with Associated Data) request handling path. When processing cryptographic requests, the driver allocates a temporary buffer `rctx->adata` via `kzalloc()` to hold associated data. The original implementation only freed this allocation along the success path and the primary cleanup path after write_adata operations. However, if `sg_copy_to_buffer()` fails to copy scatterlist data or if `starfive_aes_hw_init()` fails to initialize the hardware cryptographic engine, the function would return an error code without freeing the previously allocated `rctx->adata`, resulting in a memory leak. The resolution adds explicit `kfree(rctx->adata)` calls in these error paths before returning, ensuring consistent memory cleanup regardless of failure mode. This vulnerability primarily affects embedded systems and IoT devices utilizing StarFive RISC-V SoCs with hardware cryptographic acceleration enabled.

Defensive priority

medium

Recommended defensive actions

  • Review kernel configurations to identify systems utilizing the StarFive cryptographic driver (CONFIG_CRYPTO_DEV_STARFIVE)
  • Apply available stable kernel updates containing the referenced commits
  • Monitor system memory utilization on affected embedded/IoT devices using StarFive SoCs for signs of gradual memory exhaustion
  • Consider disabling the StarFive crypto driver if cryptographic acceleration is not required and patches cannot be immediately applied

Evidence notes

Vulnerability description confirms memory leak in starfive_aes_aead_do_one_req() function. Issue identified via prototype static analysis tool and code review. Fix ensures rctx->adata is freed in error paths for sg_copy_to_buffer() and starfive_aes_hw_init() failures. Multiple stable kernel branch commits provided in references indicate backporting activity.

Official resources

2026-05-27