CVE-2026-31739 Overview
CVE-2026-31739 affects the Linux kernel's tegra crypto driver. The driver fails to set the CRYPTO_ALG_ASYNC flag on its asynchronous algorithms. As a result, the kernel crypto API selects these asynchronous algorithms for callers that explicitly request synchronous algorithms. This mismatch causes kernel crashes when affected code paths execute. The issue is tracked under [CWE-617] (Reachable Assertion) and impacts Linux kernel builds that include the Tegra crypto driver, including 7.0 release candidates rc1 through rc6.
Critical Impact
A local attacker with low privileges can trigger kernel crashes by invoking crypto operations that request synchronous algorithms, leading to denial of service on Tegra-based systems.
Affected Products
- Linux kernel (multiple stable branches, see vendor advisories)
- Linux kernel 7.0-rc1 through 7.0-rc6
- Systems using the Tegra cryptographic hardware driver
Discovery Timeline
- 2026-05-01 - CVE-2026-31739 published to NVD
- 2026-05-07 - Last updated in NVD database
Technical Details for CVE-2026-31739
Vulnerability Analysis
The Linux kernel crypto API allows callers to request either synchronous or asynchronous transformations. Drivers must declare their algorithm type by setting the CRYPTO_ALG_ASYNC flag during registration. The Tegra crypto driver registers asynchronous algorithms but omits this flag. The crypto API therefore treats these algorithms as synchronous-capable. When a kernel subsystem requests a synchronous algorithm, the API may bind it to a Tegra asynchronous implementation. The mismatched expectation causes the calling code to execute synchronous-only code paths against asynchronous primitives, producing crashes inside the kernel.
Root Cause
The root cause is a missing capability flag in the algorithm registration structure of the tegra crypto driver. Asynchronous algorithms must advertise themselves via CRYPTO_ALG_ASYNC so the crypto framework can filter them out for synchronous requests. The Tegra driver also included redundant CRYPTO_ALG_TYPE_* flags that the registration function overrides, which masked the misclassification during code review.
Attack Vector
An attacker with local access and low privileges can invoke kernel interfaces that request synchronous crypto algorithms (for example, through user-space crypto APIs, IPsec, dm-crypt, or fs-verity paths). On Tegra hardware where the driver is loaded, the crypto API may select an asynchronous Tegra algorithm in response. The resulting execution path triggers a kernel-side fault and a crash. The vulnerability does not require crafted exploitation payloads, only triggering normal crypto code paths that expect synchronous behavior. Refer to the Kernel Git Commit 4b56770 for the exact source-level fix.
Detection Methods for CVE-2026-31739
Indicators of Compromise
- Unexpected kernel oops or panic messages referencing the tegra crypto driver in dmesg or /var/log/kern.log.
- Kernel call traces involving tegra_aes, tegra_se, or related crypto symbols followed by a system reboot.
- Repeated process crashes from user-space services that consume kernel crypto interfaces (dm-crypt, IPsec, fscrypt) on Tegra hardware.
Detection Strategies
- Audit installed kernel package versions against the fixed commits listed in the vendor advisories.
- Inspect /proc/crypto on Tegra systems and verify that algorithms registered by the tegra driver report async correctly.
- Correlate kernel crash telemetry with crypto subsystem activity to identify systems impacted before patching.
Monitoring Recommendations
- Forward kernel ring buffer events to a centralized log pipeline and alert on BUG, Oops, or WARNING entries that include tegra symbols.
- Track unplanned reboots on Tegra-based fleet devices and embedded platforms running affected kernels.
- Monitor process crash rates for services that depend on kernel crypto, including systemd-cryptsetup, strongswan, and dm-verity consumers.
How to Mitigate CVE-2026-31739
Immediate Actions Required
- Identify Linux systems that ship the Tegra crypto driver, primarily NVIDIA Jetson and Tegra-based embedded platforms.
- Apply the upstream stable kernel update that contains the fix commits referenced in the vendor advisories.
- Reboot affected hosts after patching to load the corrected driver.
Patch Information
The fix adds the CRYPTO_ALG_ASYNC flag to the Tegra crypto driver registrations and removes the unnecessary CRYPTO_ALG_TYPE_* flags. Stable backports are available in the following commits: Kernel Git Commit 3aea268, Kernel Git Commit 429d055, Kernel Git Commit 4b56770, and Kernel Git Commit bdbf027. Update to a stable kernel release that incorporates these commits.
Workarounds
- Unload the tegra crypto driver where hardware-accelerated crypto is not required, forcing fallback to software implementations.
- Restrict local access on Tegra hosts to trusted users until the patched kernel is deployed.
- Disable user-space access to the kernel crypto API (AF_ALG) where it is not needed by production workloads.
# Temporarily blacklist the Tegra crypto driver until patching is complete
echo "blacklist tegra-se" | sudo tee /etc/modprobe.d/blacklist-tegra-crypto.conf
sudo rmmod tegra_se 2>/dev/null || true
# Verify the module is no longer loaded
lsmod | grep -i tegra
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
