CVE-2026-23044 Overview
A vulnerability has been discovered in the Linux kernel's power management hibernate functionality that causes a kernel crash when freeing an invalid crypto compressor. When crypto_alloc_acomp() fails, it returns an ERR_PTR value rather than NULL. The cleanup code in save_compressed_image() and load_compressed_image() unconditionally calls crypto_free_acomp() without checking for ERR_PTR, causing crypto_acomp_tfm() to dereference an invalid pointer and crash the kernel.
Critical Impact
This vulnerability can be triggered when the compression algorithm is unavailable (e.g., when CONFIG_CRYPTO_LZO is not enabled), leading to kernel crashes and system denial of service during hibernate operations.
Affected Products
- Linux kernel (versions with affected hibernate crypto compression code)
Discovery Timeline
- February 4, 2026 - CVE CVE-2026-23044 published to NVD
- February 4, 2026 - Last updated in NVD database
Technical Details for CVE-2026-23044
Vulnerability Analysis
This vulnerability is classified as a Null Pointer Dereference in the Linux kernel's power management subsystem. The root issue lies in improper error handling within the hibernate image compression code path. The kernel's crypto API function crypto_alloc_acomp() follows a standard Linux kernel error handling convention where failures return ERR_PTR values (encoded error codes cast to pointers) rather than NULL. However, the cleanup routines in the hibernate code path fail to account for this convention.
When the compression algorithm is unavailable—such as when CONFIG_CRYPTO_LZO is not compiled into the kernel—the allocation function fails and returns an error pointer. Subsequently, when the cleanup code executes crypto_free_acomp(), the function crypto_acomp_tfm() attempts to dereference this invalid pointer, resulting in a kernel panic.
Root Cause
The root cause is a failure to validate error pointer values before calling cleanup functions in the hibernate crypto compression code. The functions save_compressed_image() and load_compressed_image() unconditionally invoke crypto_free_acomp() on the acomp handle without first checking if the handle contains an ERR_PTR value. This violates the standard Linux kernel error handling pattern where IS_ERR_OR_NULL() should be used to check pointers that may contain error values before dereferencing or freeing them.
Attack Vector
The vulnerability can be triggered locally when:
- A system attempts to hibernate (suspend to disk)
- The configured compression algorithm is unavailable (not compiled or module not loaded)
- The crypto_alloc_acomp() function fails and returns an ERR_PTR
- The cleanup code path executes and attempts to free the invalid pointer
This results in a kernel crash, causing denial of service. The attack requires local access and the ability to trigger hibernate operations, or could be triggered inadvertently through normal system operation on misconfigured systems.
The fix adds IS_ERR_OR_NULL() checks before calling crypto_free_acomp() and acomp_request_free(), following the same pattern already used for the kthread_stop() check in the same code path.
Detection Methods for CVE-2026-23044
Indicators of Compromise
- Kernel panic or crash logs referencing crypto_acomp_tfm() or crypto_free_acomp()
- System crashes occurring during hibernate or suspend-to-disk operations
- Kernel oops messages in /var/log/kern.log or dmesg output related to PM hibernate functions
- Unexpected system reboots when attempting to hibernate
Detection Strategies
- Monitor kernel logs for panic messages mentioning save_compressed_image() or load_compressed_image() functions
- Check for kernel configuration mismatches where hibernate compression is enabled but the underlying crypto algorithm is not available
- Implement monitoring for CONFIG_CRYPTO_LZO or other compression algorithm availability when hibernate features are enabled
- Use kernel crash dump analysis tools to identify NULL pointer dereference patterns in the hibernate code path
Monitoring Recommendations
- Configure kernel crash dump (kdump) collection to capture debugging information when crashes occur
- Set up automated alerts for kernel panic events related to power management subsystems
- Review system configuration to ensure required crypto modules are loaded before hibernate operations
- Monitor for failed hibernate attempts in system logs
How to Mitigate CVE-2026-23044
Immediate Actions Required
- Update the Linux kernel to a patched version that includes the IS_ERR_OR_NULL() checks
- Ensure the required compression algorithm module (e.g., CONFIG_CRYPTO_LZO) is compiled and loaded before using hibernate
- Consider disabling hibernate functionality on affected systems until patches are applied
- Review kernel configuration to ensure compression algorithm dependencies are satisfied
Patch Information
The vulnerability has been addressed in the Linux kernel stable branches. The fix adds IS_ERR_OR_NULL() checks before calling crypto_free_acomp() and acomp_request_free() in the hibernate image handling code.
Patch commits are available at:
Workarounds
- Ensure the required crypto compression module is loaded before hibernate operations by adding it to /etc/modules or module autoload configuration
- Disable hibernate functionality if the compression algorithm cannot be made available: systemctl mask hibernate.target
- Verify kernel configuration includes CONFIG_CRYPTO_LZO=y or CONFIG_CRYPTO_LZO=m (with module loaded) when using LZO compression for hibernate
- Consider using alternative power management methods (suspend-to-RAM) until the kernel can be updated
# Verify LZO crypto module is available and loaded
lsmod | grep lzo
# Load the module if available
modprobe lzo_compress
# Disable hibernate if workaround needed
systemctl mask hibernate.target
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
