ACK: [SRU][J/N/Q][PATCH 0/1] CVE-2026-23060
Abdur Rahman
abdur.rahman at canonical.com
Fri Feb 6 20:02:10 UTC 2026
On 2/5/26 6:51 PM, Ian Whitfield wrote:
> [Impact]
>
> crypto: authencesn - reject too-short AAD (assoclen<8) to match ESP/ESN spec
>
> authencesn assumes an ESP/ESN-formatted AAD. When assoclen is shorter than
> the minimum expected length, crypto_authenc_esn_decrypt() can advance past
> the end of the destination scatterlist and trigger a NULL pointer dereference
> in scatterwalk_map_and_copy(), leading to a kernel panic (DoS).
>
> Add a minimum AAD length check to fail fast on invalid inputs.
>
> [Backport]
>
> The patch was applied cleanly.
>
> [Fix]
>
> Questing: Cherry-pick
> Noble: Cherry-pick
> Jammy: Cherry-pick
> Focal: PR on Forgejo
> Bionic: Sent to ESM ML
> Xenial: Sent to ESM ML
> Trusty: not affected
>
> [Test Case]
>
> Compile and boot tested.
>
> [Where problems could occur]
>
> This fix affects those who use the Authenc crypto module, which is required for
> the IPsec ESP protocol. An issue with this fix would be visible to the user via
> a kernel panic or failure to complete network transactions.
>
> Taeyang Lee (1):
> crypto: authencesn - reject too-short AAD (assoclen<8) to match
> ESP/ESN spec
>
> crypto/authencesn.c | 6 ++++++
> 1 file changed, 6 insertions(+)
>
Acked-by: Abdur Rahman <abdur.rahman at canonical.com>
More information about the kernel-team
mailing list