PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-46019 Linux CVE debrief

A memory leak vulnerability exists in the Linux kernel's Atmel AES crypto driver. The `atmel_aes_buff_init()` function allocates 4 pages of memory using `__get_free_pages()` with `ATMEL_AES_BUFFER_ORDER`, but the corresponding cleanup function `atmel_aes_buff_cleanup()` incorrectly frees only a single page using `free_page()`. This mismatch causes 3 pages (12KB on typical systems) to be leaked on each cleanup cycle. The fix replaces `free_page()` with `free_pages()` using the correct order parameter to properly release all allocated pages. This vulnerability affects systems using the Atmel AES hardware crypto accelerator, potentially leading to gradual memory exhaustion under sustained cryptographic operations.

Vendor
Linux
Product
Unknown
CVSS
Unknown
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-27
Original CVE updated
2026-05-27
Advisory published
2026-05-27
Advisory updated
2026-05-27

Who should care

System administrators running Linux on hardware with Atmel AES cryptographic accelerators, embedded systems developers using Atmel/Microchip processors with hardware crypto support, and security teams monitoring for kernel memory exhaustion vulnerabilities

Technical summary

The Atmel AES crypto driver in the Linux kernel contains a memory leak where `atmel_aes_buff_cleanup()` uses `free_page()` instead of `free_pages()` with `ATMEL_AES_BUFFER_ORDER`, causing 3 of 4 allocated pages to leak on each buffer cleanup. The fix corrects the deallocation to match the allocation order.

Defensive priority

medium

Recommended defensive actions

  • Review kernel version and confirm if the Atmel AES driver (atmel-aes) is in use
  • Apply kernel updates containing the fix commits when available from your distribution
  • Monitor for memory pressure indicators on systems using Atmel AES hardware acceleration
  • Consider disabling Atmel AES hardware acceleration temporarily if memory exhaustion symptoms appear and patches are unavailable

Evidence notes

The vulnerability description is sourced from the official CVE record published by NVD on 2026-05-27. The fix involves correcting the page deallocation order in the kernel's Atmel AES driver. Multiple stable kernel branch commits are referenced, indicating backports to supported kernel versions.

Official resources

2026-05-27