PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-46081 Linux CVE debrief

A memory corruption vulnerability exists in the Linux kernel's asynchronous compression (acomp) subsystem. The flaw resides in `acomp_save_req()`, which incorrectly stores a pointer to `&req->chain` in `req->base.data` instead of the request structure itself. When `acomp_reqchain_done()` is invoked upon asynchronous completion, it receives this pointer but casts it directly to `struct acomp_req`, causing all subsequent field accesses to occur at incorrect memory offsets. This leads to memory corruption and potential general protection faults. The vulnerability is triggered when asynchronous hardware implementations—specifically the Intel QAT driver—complete requests using the DMA virtual address interface (e.g., `acomp_request_set_src_dma()`), causing `crypto_acomp_compress()` to enter the `acomp_do_req_chain()` path. With Kernel Address Sanitizer (KASAN) enabled, this manifests as a general protection fault with a non-canonical address access pattern. The fix corrects the pointer storage to use the request structure directly and simplifies `acomp_restore_req()` accordingly.

Vendor
Linux
Product
Unknown
CVSS
Unknown
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-27
Original CVE updated
2026-05-27
Advisory published
2026-05-27
Advisory updated
2026-05-27

Who should care

Linux kernel maintainers, organizations running compression workloads on Intel QAT hardware, security teams monitoring kernel memory safety issues, and infrastructure operators utilizing asynchronous crypto/compression APIs

Technical summary

The vulnerability stems from an incorrect pointer assignment in `acomp_save_req()` where `&req->chain` is stored in `req->base.data` rather than the `acomp_req` structure itself. On asynchronous completion, `acomp_reqchain_done()` casts this data pointer to `struct acomp_req*`, resulting in offset-corrupted memory accesses. The issue specifically affects the code path through `acomp_do_req_chain()` when hardware accelerators like Intel QAT complete DMA-based compression requests. The fix corrects the pointer storage and simplifies the restoration logic.

Defensive priority

high

Recommended defensive actions

  • Apply the relevant stable kernel patches referenced in the source data to affected systems
  • Enable Kernel Address Sanitizer (KASAN) in test environments to detect similar memory corruption issues
  • Review systems utilizing Intel QAT hardware acceleration for compression workloads
  • Monitor kernel logs for general protection faults in acomp_reqchain_done() or related call traces
  • Validate that asynchronous compression requests complete without memory corruption after patching

Evidence notes

The vulnerability description is sourced from the official CVE record and NVD entry, with technical details derived from the kernel commit messages referenced in the source data. The fix involves three stable kernel commits addressing the pointer storage error in the acomp subsystem.

Official resources

2026-05-27