Описание
In the Linux kernel, the following vulnerability has been resolved:
crypto: xts - Handle EBUSY correctly
As it is xts only handles the special return value of EINPROGRESS,
which means that in all other cases it will free data related to the
request.
However, as the caller of xts may specify MAY_BACKLOG, we also need
to expect EBUSY and treat it in the same way. Otherwise backlogged
requests will trigger a use-after-free.
A flaw use after free in the Linux kernel XTS (XOR Encrypt XOR with ciphertext stealing) crypto Kernel module was found in the way privileges user triggers XTS crypto API in specific way.
A local user could use this flaw to crash the system or potentially escalate their privileges on the system.
Отчет
The patch fixes a use-after-free in the XTS skcipher template where -EBUSY from the crypto backend (with MAY_BACKLOG) was not treated like -EINPROGRESS, causing request data to be freed while still referenced. Impact is kernel memory corruption (high integrity/availability impact). For the CVSS the PR:L because triggering requires the ability to invoke kernel crypto operations (e.g., via AF_ALG skcipher XTS) and craft conditions that lead to a backlogged request. Note: In a standard Linux installation, this vulnerability can only be triggered by the root user, since access to the kernel crypto API (e.g., via AF_ALG sockets or device-mapper targets using XTS mode) requires CAP_SYS_ADMIN privileges. However, in specific environments such as containers or sandboxed setups where unprivileged users are granted CAP_SYS_ADMIN (or equivalent capabilities), a non-root user within that environment may also be able to exploit the issue. In hardened setups where AF_ALG is restricted, this path may be limited to privileged users.
Меры по смягчению последствий
To mitigate this issue, prevent module xts from being loaded. Please see https://access.redhat.com/solutions/41278 for how to blacklist a kernel module to prevent it from loading automatically.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat Enterprise Linux 10 | kernel | Not affected | ||
| Red Hat Enterprise Linux 6 | kernel | Out of support scope | ||
| Red Hat Enterprise Linux 7 | kernel | Not affected | ||
| Red Hat Enterprise Linux 7 | kernel-rt | Not affected | ||
| Red Hat Enterprise Linux 8 | kernel | Not affected | ||
| Red Hat Enterprise Linux 8 | kernel-rt | Not affected | ||
| Red Hat Enterprise Linux 9 | kernel-rt | Affected | ||
| Red Hat Enterprise Linux 9 | kernel | Fixed | RHSA-2025:19409 | 03.11.2025 |
| Red Hat Enterprise Linux 9 | kernel | Fixed | RHSA-2025:21112 | 12.11.2025 |
| Red Hat Enterprise Linux 9 | kernel | Fixed | RHSA-2025:19409 | 03.11.2025 |
Показывать по
Дополнительная информация
Статус:
EPSS
7.8 High
CVSS3
Связанные уязвимости
In the Linux kernel, the following vulnerability has been resolved: crypto: xts - Handle EBUSY correctly As it is xts only handles the special return value of EINPROGRESS, which means that in all other cases it will free data related to the request. However, as the caller of xts may specify MAY_BACKLOG, we also need to expect EBUSY and treat it in the same way. Otherwise backlogged requests will trigger a use-after-free.
In the Linux kernel, the following vulnerability has been resolved: crypto: xts - Handle EBUSY correctly As it is xts only handles the special return value of EINPROGRESS, which means that in all other cases it will free data related to the request. However, as the caller of xts may specify MAY_BACKLOG, we also need to expect EBUSY and treat it in the same way. Otherwise backlogged requests will trigger a use-after-free.
In the Linux kernel, the following vulnerability has been resolved: c ...
In the Linux kernel, the following vulnerability has been resolved: crypto: xts - Handle EBUSY correctly As it is xts only handles the special return value of EINPROGRESS, which means that in all other cases it will free data related to the request. However, as the caller of xts may specify MAY_BACKLOG, we also need to expect EBUSY and treat it in the same way. Otherwise backlogged requests will trigger a use-after-free.
Уязвимость модуля crypto/xts.c ядра операционной системы Linux, позволяющая нарушителю вызвать отказ в обслуживании
EPSS
7.8 High
CVSS3