CVE-2026-28529 in cryptodev-linux
Summary
by MITRE • 03/25/2026
cryptodev-linux version 1.14 and prior contain a page reference handling flaw in the get_userbuf function of the /dev/crypto device driver that allows local users to trigger use-after-free conditions. Attackers with access to the /dev/crypto interface can repeatedly decrement reference counts of controlled pages to achieve local privilege escalation.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 03/30/2026
The cryptodev-linux kernel module serves as a cryptographic device driver that provides access to hardware and software encryption capabilities through the /dev/crypto interface. This driver is commonly used in embedded systems and server environments where cryptographic operations need to be accelerated through dedicated hardware or optimized software implementations. The vulnerability exists within the get_userbuf function which handles memory management for user-space buffer allocations. The specific flaw lies in the improper handling of page reference counting mechanisms that govern how kernel memory pages are tracked and managed. When the get_userbuf function processes user requests for cryptographic buffers, it fails to correctly maintain the reference count for memory pages that are subsequently freed or reallocated.
The technical implementation of this vulnerability stems from a race condition in the reference counting logic where multiple calls to decrement reference counts can occur on the same memory page. This flaw is particularly dangerous because it allows local attackers with access to the /dev/crypto device interface to manipulate the reference counting mechanism through controlled input parameters. The attacker can repeatedly call functions that decrement reference counts on specific memory pages, eventually causing pages to be freed prematurely. When these freed pages are subsequently reallocated or accessed, they may contain stale data or be in an inconsistent state, leading to use-after-free conditions that can be exploited for privilege escalation.
The operational impact of this vulnerability is significant as it allows local privilege escalation from user-level access to kernel-level privileges. This means that any user who has access to the /dev/crypto device interface can potentially elevate their privileges to root level, effectively compromising the entire system. The attack vector requires only local access to the device interface, making it particularly dangerous in multi-user environments where users may have legitimate access to cryptographic services. The vulnerability can be exploited repeatedly, and the conditions that lead to the use-after-free can be systematically reproduced, making it a reliable attack method. This flaw essentially undermines the kernel's memory management security mechanisms and allows for arbitrary code execution in kernel space.
Mitigation strategies should focus on immediate patching of the cryptodev-linux driver to version 1.15 or later where the reference counting logic has been corrected. System administrators should also implement strict access controls to limit who can access the /dev/crypto device interface, reducing the attack surface. The principle of least privilege should be enforced by restricting access to the cryptographic device to only those processes that absolutely require it. Additionally, monitoring for unusual patterns in reference counting operations or repeated calls to the get_userbuf function can help detect potential exploitation attempts. Organizations should also consider implementing kernel hardening techniques such as stack canaries and kernel address space layout randomization to make exploitation more difficult. This vulnerability aligns with CWE-415 which addresses double free errors and CWE-416 which covers use after free conditions, and maps to ATT&CK technique T1068 which covers local privilege escalation through kernel exploits. Regular security audits of kernel modules and device drivers should be conducted to identify similar reference counting issues that could lead to similar vulnerabilities.