APPLIED: [SRU][J/N/Q][PATCH 0/1] CVE-2026-23060
Stefan Bader
stefan.bader at canonical.com
Fri Feb 20 16:42:30 UTC 2026
On 06/02/2026 00:51, Ian Whitfield wrote:
> [Impact]
>
> crypto: authencesn - reject too-short AAD (assoclen<8) to match ESP/ESN spec
>
> authencesn assumes an ESP/ESN-formatted AAD. When assoclen is shorter than
> the minimum expected length, crypto_authenc_esn_decrypt() can advance past
> the end of the destination scatterlist and trigger a NULL pointer dereference
> in scatterwalk_map_and_copy(), leading to a kernel panic (DoS).
>
> Add a minimum AAD length check to fail fast on invalid inputs.
>
> [Backport]
>
> The patch was applied cleanly.
>
> [Fix]
>
> Questing: Cherry-pick
> Noble: Cherry-pick
> Jammy: Cherry-pick
> Focal: PR on Forgejo
> Bionic: Sent to ESM ML
> Xenial: Sent to ESM ML
> Trusty: not affected
>
> [Test Case]
>
> Compile and boot tested.
>
> [Where problems could occur]
>
> This fix affects those who use the Authenc crypto module, which is required for
> the IPsec ESP protocol. An issue with this fix would be visible to the user via
> a kernel panic or failure to complete network transactions.
>
> Taeyang Lee (1):
> crypto: authencesn - reject too-short AAD (assoclen<8) to match
> ESP/ESN spec
>
> crypto/authencesn.c | 6 ++++++
> 1 file changed, 6 insertions(+)
>
Applied to questing,noble,jammy:linux/master-next. Thanks.
-Stefan
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_0xE8675DEECBEECEA3.asc
Type: application/pgp-keys
Size: 52669 bytes
Desc: OpenPGP public key
URL: <https://lists.ubuntu.com/archives/kernel-team/attachments/20260220/63b20044/attachment-0001.key>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/kernel-team/attachments/20260220/63b20044/attachment-0001.sig>
More information about the kernel-team
mailing list