Skip to main content
A Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection. Six years running.Find Out Why
CVE Vulnerability Database
Vulnerability Database/CVE-2026-31391

CVE-2026-31391: Linux Kernel Information Disclosure Flaw

CVE-2026-31391 is an information disclosure vulnerability in the Linux kernel's crypto atmel-sha204a component affecting resource management. This article covers technical details, affected versions, and mitigations.

Updated:

CVE-2026-31391 Overview

CVE-2026-31391 is a resource management flaw in the Linux kernel's atmel-sha204a crypto driver. The driver fails to decrement the ->tfm_count reference counter when a memory allocation fails during transform initialization. The leaked counter blocks future read operations against the device, producing a denial-of-service condition on systems that rely on the Atmel SHA204A cryptographic co-processor. The issue has been resolved upstream across multiple stable kernel branches.

Critical Impact

A leaked ->tfm_count after an out-of-memory event prevents subsequent reads from the Atmel SHA204A device, breaking cryptographic functionality until the system is rebooted.

Affected Products

  • Linux kernel builds that enable the atmel-sha204a crypto driver
  • Embedded and IoT platforms shipping Atmel/Microchip ATSHA204A hardware
  • Stable kernel branches prior to the fixes referenced in the upstream commits

Discovery Timeline

  • 2026-04-03 - CVE-2026-31391 published to NVD
  • 2026-04-18 - Last updated in NVD database

Technical Details for CVE-2026-31391

Vulnerability Analysis

The atmel-sha204a driver tracks the number of active transform (tfm) instances using an internal counter named ->tfm_count. The counter gates concurrent access and prevents read operations from racing with teardown. During transform initialization, the driver increments ->tfm_count before attempting to allocate supporting memory.

When the allocation fails, the original code path returns an error without rolling back the increment. Each failed allocation therefore permanently raises the counter. After enough failures, or after a single failure on a device that allows only one outstanding user, the driver refuses further read requests because the counter never returns to its expected baseline.

The condition is a resource leak rather than a memory safety bug. It does not enable code execution or privilege escalation, but it does break cryptographic services exposed by the device until the kernel is restarted.

Root Cause

The root cause is a missing decrement on the error path of the transform initialization routine. The fix restores the counter to its prior value when kmalloc-class allocations fail, ensuring ->tfm_count reflects only successfully initialized transforms.

Attack Vector

Triggering the flaw requires local interaction with the crypto device and a memory pressure condition that causes allocation failures. The vulnerability is not remotely exploitable and produces availability impact only. No public exploit, proof-of-concept, or in-the-wild activity has been reported, and the EPSS data places exploitation probability at the low end of the scale.

No verified exploitation code is available. The technical details are documented in the upstream patch series referenced below.

Detection Methods for CVE-2026-31391

Indicators of Compromise

  • Repeated -ENOMEM errors logged by the atmel-sha204a driver in dmesg or the system journal
  • Userspace cryptographic clients receiving persistent EBUSY or similar errors when opening the SHA204A character device
  • A non-zero ->tfm_count value that does not return to baseline after clients disconnect

Detection Strategies

  • Compare the running kernel version and atmel-sha204a module against the fixed commits (1ab70c2, 2bfc83c, 66ee9c1, 6f50204, c2d0c45, d240b07, fd262dc)
  • Inventory devices that bind to the atmel-sha204a driver using lsmod, modinfo, and device tree exports
  • Correlate crypto API failure rates with system memory pressure events to identify candidate systems

Monitoring Recommendations

  • Forward kernel ring buffer messages to a centralized logging pipeline and alert on atmel-sha204a error patterns
  • Track availability of dependent services that rely on hardware-backed SHA-256 or HMAC operations
  • Monitor memory pressure metrics on embedded fleets where the driver is loaded, since the bug only manifests under allocation failure

How to Mitigate CVE-2026-31391

Immediate Actions Required

  • Identify all systems loading the atmel-sha204a module and prioritize them for patching
  • Apply the stable kernel update that includes the upstream fix for your distribution
  • Reboot affected systems after patching to clear any leaked ->tfm_count state

Patch Information

The fix has been merged across multiple stable branches. Reference the upstream commits: Kernel Git Commit 1ab70c2, Kernel Git Commit 2bfc83c, Kernel Git Commit 66ee9c1, Kernel Git Commit 6f50204, Kernel Git Commit c2d0c45, Kernel Git Commit d240b07, and Kernel Git Commit fd262dc. Each commit decrements ->tfm_count on the allocation failure path so subsequent reads are not blocked.

Workarounds

  • Unload the atmel-sha204a module on systems that do not actively use the device until a patched kernel is deployed
  • Reduce memory pressure on affected hosts to lower the likelihood of allocation failures that trigger the leak
  • Reboot the system to reset the in-kernel counter if cryptographic reads begin to fail before a patch is available
bash
# Verify whether the atmel-sha204a driver is loaded and inspect related kernel messages
lsmod | grep atmel_sha204a
dmesg | grep -i atmel-sha204a

# Temporarily unload the driver if it is not required
sudo modprobe -r atmel_sha204a

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.

Try SentinelOne