CVE-2026-45986 Linux CVE debrief

Who should care

System administrators running Linux on ARM platforms with TrustZone CryptoCell hardware accelerators; embedded systems and IoT device manufacturers utilizing ARM SoCs with integrated cryptographic engines; cloud providers offering ARM-based instances with hardware crypto offload; security teams monitoring kernel memory exhaustion vectors

Technical summary

The vulnerability is located in drivers/crypto/ccree/cc_hash.c in the cc_mac_digest() function. When cc_map_hash_request_final() fails during MAC digest operations, the previously mapped result buffer was not unmapped, leading to a memory leak. The resolution adds a cc_unmap_result() call in the error path to ensure DMA mappings are properly released. This is a resource exhaustion vulnerability affecting kernel memory management in cryptographic operations.

Defensive priority

medium

Recommended defensive actions

• Review kernel configurations for systems utilizing ARM TrustZone CryptoCell hardware cryptographic accelerators
• Monitor stable kernel updates for ccree driver patches corresponding to the referenced commits
• Apply kernel updates from distribution vendors when available, prioritizing systems with hardware crypto offload enabled
• Consider disabling hardware crypto acceleration via kernel module parameters if patches are unavailable and cryptographic performance is not critical
• Audit systems for unusual memory consumption patterns in kernel space that may indicate resource exhaustion from this leak

Evidence notes

The vulnerability description indicates a memory leak in the ARM TrustZone CryptoCell (ccree) driver's cc_mac_digest() function. The fix adds proper unmapping of results when hash request finalization mapping fails. Five kernel.org stable tree commits are referenced, suggesting backports to multiple stable kernel branches. The CVE was published and modified on 2026-05-27, with NVD status 'Awaiting Analysis' indicating CVSS scoring is pending.

Official resources