CVE-2026-53302 in Linux
Summary
by MITRE • 06/26/2026
In the Linux kernel, the following vulnerability has been resolved:
crypto: eip93 - fix hmac setkey algo selection
eip93_hmac_setkey() allocates a temporary ahash transform for computing HMAC ipad/opad key material. The allocation uses the driver-specific cra_driver_name (e.g. "sha256-eip93") but passes CRYPTO_ALG_ASYNC as the mask, which excludes async algorithms.
Since the EIP93 hash algorithms are the only ones registered under those driver names and they are inherently async, the lookup is self-contradictory and always fails with -ENOENT.
When called from the AEAD setkey path, this failure leaves the SA record partially initialized with zeroed digest fields. A subsequent crypto operation then dereferences a NULL pointer in the request context, resulting in a kernel panic:
``` pc : eip93_aead_handle_result+0xc8c/0x1240 [crypto_hw_eip93]
lr : eip93_aead_handle_result+0xbec/0x1240 [crypto_hw_eip93]
sp : ffffffc082feb820 x29: ffffffc082feb820 x28: ffffff8011043980 x27: 0000000000000000 x26: 0000000000000000 x25: ffffffc078da0bc8 x24: 0000000091043980 x23: ffffff8004d59e50 x22: ffffff8004d59410 x21: ffffff8004d593c0 x20: ffffff8004d593c0 x19: ffffff8004d4f300 x18: 0000000000000000 x17: 0000000000000000 x16: 0000000000000000 x15: 0000007fda7aa498 x14: 0000000000000000 x13: 0000000000000000 x12: 0000000000000000 x11: 0000000000000000 x10: fffffffff8127a80 x9 : 0000000000000000 x8 : ffffff8004d4f380 x7 : 0000000000000000 x6 : 000000000000003f x5 : 0000000000000040 x4 : 0000000000000008 x3 : 0000000000000009 x2 : 0000000000000008 x1 : 0000000028000003 x0 : ffffff8004d388c0 Code: 910142b6 f94012e0 f9002aa0 f90006d3 (f9400740) ```
The reported symbol eip93_aead_handle_result+0xc8c is a resolution artifact from static functions being merged under the nearest exported symbol. Decoding the faulting sequence:
``` 910142b6 ADD X22, X21, #0x50 f94012e0 LDR X0, [X23, #0x20]
f9002aa0 STR X0, [X21, #0x50]
f90006d3 STR X19, [X22, #0x8]
f9400740 LDR X0, [X26, #0x8]
```
The faulting LDR at [X26, #0x8] is loading ctx->flags
(offset 8 in eip93_hash_ctx), where ctx has been resolved to NULL from a partially initialized or unreachable transform context following the failed setkey.
Fix this by dropping the CRYPTO_ALG_ASYNC mask from the crypto_alloc_ahash() call. The code already handles async completion correctly via crypto_wait_req(), so there is no requirement to restrict the lookup to synchronous algorithms.
Note that hashing a single 64-byte block through the hardware is likely slower than doing it in software due to the DMA round-trip overhead, but offloading it may still spare CPU cycles on the slower embedded cores where this IP is found.
[Detailed investigation report of this bug]
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 06/26/2026
This vulnerability exists within the Linux kernel's cryptographic subsystem specifically affecting the eip93 hardware crypto driver implementation. The issue stems from a fundamental mismatch in algorithm selection logic within the hmac setkey functionality where the eip93_hmac_setkey() function attempts to allocate a temporary ahash transform using driver-specific names but applies an incorrect algorithm mask. The problem manifests when the function uses cra_driver_name values such as "sha256-eip93" while simultaneously passing CRYPTO_ALG_ASYNC as the mask parameter, creating a self-contradictory lookup scenario that consistently fails with -ENOENT error code.
The technical flaw represents a classic case of improper algorithm type specification in kernel crypto API calls, where the driver registration for EIP93 hash algorithms is inherently asynchronous but the allocation request explicitly excludes such algorithms. This creates a cascading failure condition where the partial initialization of security association records leaves digest fields zeroed, leading to subsequent cryptographic operations attempting to dereference null pointers in the request context. The kernel panic occurs during AEAD setkey processing when eip93_aead_handle_result function tries to access memory locations that were never properly allocated due to the failed transform allocation.
The operational impact of this vulnerability is severe as it can cause complete system crashes and denial of service conditions in embedded systems running Linux kernels with EIP93 hardware crypto support. The faulting instruction sequence reveals direct memory access to ctx->flags field where the context pointer resolves to NULL following the failed cryptographic transform initialization, indicating a critical null pointer dereference scenario that violates kernel safety principles. This vulnerability affects systems using ARM-based embedded processors with EIP93 crypto hardware acceleration where the kernel attempts to establish HMAC contexts for security operations.
The fix involves removing the CRYPTO_ALG_ASYNC mask from the crypto_alloc_ahash() call since the existing code already properly handles asynchronous completion through crypto_wait_req() mechanisms. This approach aligns with common cryptographic driver patterns where hardware accelerators can operate in both synchronous and asynchronous modes but proper synchronization is handled at the higher-level API calls. The mitigation maintains compatibility with the underlying hardware while ensuring proper algorithm selection that matches the driver's actual implementation characteristics.
From a cybersecurity perspective, this vulnerability demonstrates the importance of careful algorithm mask application in kernel crypto subsystems and aligns with CWE-476 which addresses null pointer dereference conditions. The issue also relates to ATT&CK technique T1059.008 for privilege escalation through kernel exploits, though this particular vulnerability is more accurately classified as a denial of service through kernel panic rather than direct privilege escalation. The flaw emphasizes the need for proper error handling and validation in crypto driver implementations where partial initialization can lead to critical system failures.
The hardware acceleration scenario described highlights performance trade-offs common in embedded systems where DMA overhead may make single block hashing slower than software implementation, but the benefit lies in CPU cycle savings on resource-constrained embedded cores. This vulnerability serves as a reminder of the complexity involved in balancing cryptographic performance optimization with kernel stability requirements, particularly in specialized hardware crypto implementations that must maintain compatibility across various kernel versions and deployment scenarios.
The fix represents a minimal yet critical change that resolves the fundamental algorithm selection conflict while preserving all existing functionality. The solution demonstrates proper understanding of Linux kernel crypto API behavior where driver registration and allocation must be consistent, preventing the self-contradictory lookup conditions that lead to system crashes. This type of vulnerability underscores the importance of thorough testing in kernel crypto subsystems and proper validation of algorithm availability across different kernel configurations and hardware platforms.