5.5

CVE-2025-71113

EPSS 0.03%
Veröffentlicht 14.01.2026 15:16:00
Zuletzt bearbeitet 25.03.2026 19:58:42
Quelle 416baaa9-dc9f-4396-8d5f-8c081f
CVE-Watchlists
Login
Unerledigt
Login

crypto: af_alg - zero initialize memory allocated via sock_kmalloc

In the Linux kernel, the following vulnerability has been resolved:

crypto: af_alg - zero initialize memory allocated via sock_kmalloc

Several crypto user API contexts and requests allocated with
sock_kmalloc() were left uninitialized, relying on callers to
set fields explicitly. This resulted in the use of uninitialized
data in certain error paths or when new fields are added in the
future.

The ACVP patches also contain two user-space interface files:
algif_kpp.c and algif_akcipher.c. These too rely on proper
initialization of their context structures.

A particular issue has been observed with the newly added
'inflight' variable introduced in af_alg_ctx by commit:

  67b164a871af ("crypto: af_alg - Disallow multiple in-flight AIO requests")

Because the context is not memset to zero after allocation,
the inflight variable has contained garbage values. As a result,
af_alg_alloc_areq() has incorrectly returned -EBUSY randomly when
the garbage value was interpreted as true:

  https://github.com/gregkh/linux/blame/master/crypto/af_alg.c#L1209

The check directly tests ctx->inflight without explicitly
comparing against true/false. Since inflight is only ever set to
true or false later, an uninitialized value has triggered
-EBUSY failures. Zero-initializing memory allocated with
sock_kmalloc() ensures inflight and other fields start in a known
state, removing random issues caused by uninitialized data.

Betroffene Produkte Warnungen 0 Metriken 2 CWE 1 Referenzen 10

NVD 15 VulnDex Vulnerability Enrichment 13

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Linux ≫ Linux Kernel Version >= 2.6.38.1 < 5.10.248

Linux ≫ Linux Kernel Version >= 5.11 < 5.15.198

Linux ≫ Linux Kernel Version >= 5.16 < 6.1.160

Linux ≫ Linux Kernel Version >= 6.2 < 6.6.120

Linux ≫ Linux Kernel Version >= 6.7 < 6.12.64

Linux ≫ Linux Kernel Version >= 6.13 < 6.18.3

Linux ≫ Linux Kernel Version2.6.38 Update-

Linux ≫ Linux Kernel Version6.19 Updaterc1

Linux ≫ Linux Kernel Version6.19 Updaterc2

Linux ≫ Linux Kernel Version6.19 Updaterc3

Linux ≫ Linux Kernel Version6.19 Updaterc4

Linux ≫ Linux Kernel Version6.19 Updaterc5

Linux ≫ Linux Kernel Version6.19 Updaterc6

Linux ≫ Linux Kernel Version6.19 Updaterc7

Linux ≫ Linux Kernel Version6.19 Updaterc8

VulnDex Vulnerability Enrichment

Diese Information steht angemeldeten Benutzern zur Verfügung.

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.03%	0.097

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	5.5	1.8	3.6	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

CWE-908 Use of Uninitialized Resource

The product uses or accesses a resource that has not been initialized.

https://git.kernel.org/stable/c/51a5ab36084f3251ef87eda3e6a6236f6488925e

Patch

https://git.kernel.org/stable/c/5a4b65523608974a81edbe386f8a667a3e10c726

Patch

https://git.kernel.org/stable/c/6f6e309328d53a10c0fe1f77dec2db73373179b6

Patch

https://git.kernel.org/stable/c/84238876e3b3b262cf62d5f4d1338e983fb27010

Patch

https://git.kernel.org/stable/c/f81244fd6b14fecfa93b66b6bb1d59f96554e550

Patch

https://git.kernel.org/stable/c/543bf004e4eafbb302b1e6c78570d425d2ca13a0

Patch

https://git.kernel.org/stable/c/e125c8e346e4eb7b3e854c862fcb4392bc13ddba

Patch

https://nvd.nist.gov/vuln/detail/CVE-2025-71113

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2025-71113

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2025-71113

EUVD