CVE-2026-31746 Overview
CVE-2026-31746 is a memory leak vulnerability in the Linux kernel's s390/zcrypt driver. The flaw affects IBM Z mainframe systems using Common Cryptographic Architecture (CCA) cards as accelerators for clear key RSA requests. Both Modular Exponentiation (ME) and Chinese Remainder Theorem (CRT) code paths fail to free an earlier AP message allocation after a rework introduced ap_init_apmsg(). Each affected RSA request leaks kernel memory, eventually exhausting available resources and causing denial of service. The vulnerability is tracked under CWE-401: Missing Release of Memory after Effective Lifetime.
Critical Impact
A local authenticated user issuing repeated clear key RSA operations through the zcrypt interface can exhaust kernel memory and degrade system availability on s390/IBM Z hosts.
Affected Products
- Linux kernel 7.0-rc1 through 7.0-rc6
- Linux kernel stable branches with the s390/zcrypt ap_init_apmsg() rework
- IBM Z (s390) systems using CCA cryptographic cards in accelerator mode
Discovery Timeline
- 2026-05-01 - CVE-2026-31746 published to NVD
- 2026-05-07 - Last updated in NVD database
Technical Details for CVE-2026-31746
Vulnerability Analysis
The s390/zcrypt subsystem provides userspace access to IBM Z hardware cryptographic adapters through the AP (Adjunct Processor) bus. When a CCA card is configured as an accelerator, it handles clear key RSA computations submitted via ioctl calls on /dev/z90crypt. Each request requires an AP message buffer to carry the request payload to the adapter.
A prior refactor centralized AP message buffer allocation into ap_init_apmsg(). However, the ME and CRT request handlers retained their original allocation calls in addition to the new initialization path. The result is two allocations per request, with only the second buffer tracked and released. The first buffer is orphaned on every call.
Repeated RSA operations from a low-privilege local user steadily consume kernel slab memory. Sustained workloads on systems exposing zcrypt to multiple tenants reach memory pressure thresholds, triggering OOM conditions and impacting workloads sharing the host.
Root Cause
The root cause is duplicate buffer allocation in the RSA ME and CRT submission paths within drivers/s390/crypto/zcrypt_*. The legacy allocation was not removed when ap_init_apmsg() became the canonical initializer, leaving an unreferenced allocation that is never passed to the corresponding free routine.
Attack Vector
Exploitation requires local access with permission to open the zcrypt device. An attacker submits a high volume of clear key RSA ME or CRT requests through the standard zcrypt ioctl interface. Each request leaks one AP message buffer in kernel space, with no userspace indicator of the leak. The vulnerability does not yield code execution or data disclosure but degrades availability.
No public proof-of-concept is available, and the issue is not listed in the CISA Known Exploited Vulnerabilities catalog.
Detection Methods for CVE-2026-31746
Indicators of Compromise
- Steady, unexplained growth in kernel slab allocations on s390/IBM Z hosts running CCA accelerator workloads
- Out-of-memory kills affecting unrelated workloads on systems with active zcrypt usage
- High call rates to zcrypt RSA ioctl operations from a single non-root user or process
Detection Strategies
- Monitor /proc/slabinfo for unbounded growth in AP message buffer slabs over time
- Audit zcrypt device access using Linux Audit subsystem rules on /dev/z90crypt to track per-user request volume
- Correlate kernel memory pressure events with workloads issuing clear key RSA ME or CRT operations
Monitoring Recommendations
- Baseline normal MemAvailable and slab consumption on s390 hosts and alert on sustained downward trends
- Track kernel version and patch level across the IBM Z fleet to confirm fixed builds are deployed
- Forward kernel OOM and slab statistics to a centralized SIEM for trend analysis across the cluster
How to Mitigate CVE-2026-31746
Immediate Actions Required
- Inventory all s390/IBM Z systems running affected Linux kernel versions and identify those using CCA cards in accelerator mode
- Apply the upstream stable kernel patches that remove the duplicate AP message allocation in the ME and CRT paths
- Restrict access to /dev/z90crypt to trusted service accounts only, removing unnecessary group membership
Patch Information
The fix is available in the upstream Linux stable tree. Refer to the following commits for the corrected allocation logic: Kernel Git Commit 586222c, Kernel Git Commit ace37bf, and Kernel Git Commit c8d46f. Distribution maintainers backport these commits into their supported stable kernels.
Workarounds
- Reconfigure CCA cards out of accelerator mode where clear key RSA performance is not required
- Apply Linux control groups (cgroups) memory limits to processes accessing zcrypt to contain leak impact
- Schedule periodic reboots of affected hosts until patched kernels are deployed in production
# Restrict zcrypt device access to a dedicated group
chgrp zcrypt-users /dev/z90crypt
chmod 0660 /dev/z90crypt
# Verify running kernel version against fixed releases
uname -r
# Monitor AP message slab allocation growth
watch -n 60 'grep -E "ap_msg|zcrypt" /proc/slabinfo'
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
