CVE-2026-43043 Overview
CVE-2026-43043 is a NULL pointer dereference vulnerability in the Linux kernel's AF_ALG cryptographic socket interface. The flaw resides in the af_alg_alloc_tsgl() function, which fails to unmark the end of a Scatter/Gather List (SGL) when chaining a new af_alg_tsgl structure. When a sendmsg() call fills an SGL exactly to MAX_SGL_ENTS, the last entry receives an end marker. A subsequent sendmsg() allocates and chains a new SGL but does not clear the previous end marker, causing the crypto scatterwalk to terminate prematurely and trigger a kernel panic on sg_next() dereference.
Critical Impact
A local unprivileged user with access to AF_ALG sockets can trigger a kernel NULL pointer dereference, resulting in a kernel panic and denial of service.
Affected Products
- Linux kernel versions implementing the AF_ALG cryptographic interface
- Distributions exposing CONFIG_CRYPTO_USER_API and related crypto socket families
- Systems where unprivileged users can open AF_ALG sockets
Discovery Timeline
- 2026-05-01 - CVE-2026-43043 published to NVD
- 2026-05-01 - Last updated in NVD database
Technical Details for CVE-2026-43043
Vulnerability Analysis
The AF_ALG interface allows userspace applications to access kernel cryptographic transforms through a socket-based API. Data submitted via sendmsg() is stored in a chain of af_alg_tsgl structures, each holding a Scatter/Gather List of up to MAX_SGL_ENTS entries. The kernel marks the final entry of an SGL with an end bit so traversal routines know when to stop.
When an SGL fills exactly to capacity and a new sendmsg() extends the buffer, af_alg_alloc_tsgl() allocates a new SGL and links it via sg_chain(). The defect is the missing call to clear the end marker on the previous SGL's final data entry before chaining. As a result, the chained SGL is unreachable through standard traversal.
During crypto operations, the scatterwalk iterator follows the chain via sg_next(). Hitting the stale end marker, the iterator returns NULL prematurely. Subsequent dereference of this NULL pointer in kernel context produces an oops and panics the system.
Root Cause
The root cause is incorrect SGL chaining logic [CWE-476]. The fix explicitly unmarks the previous SGL's terminal entry before performing sg_chain() in af_alg_alloc_tsgl(), restoring correct traversal semantics across chained scatter/gather lists.
Attack Vector
A local user with permission to open an AF_ALG socket can trigger the condition by issuing successive sendmsg() calls sized to align exactly with MAX_SGL_ENTS boundaries. No special privileges are required beyond access to the crypto user API. Exploitation results in a kernel panic and denial of service. See the upstream fix in the Kernel Commit - Security Fix 1 for technical details.
// Conceptual flow (no synthetic exploit code provided)
// 1. socket(AF_ALG, SOCK_SEQPACKET, 0) and bind to a cipher
// 2. accept() to obtain operation socket
// 3. sendmsg() with payload sized to fill SGL exactly to MAX_SGL_ENTS
// 4. sendmsg() again to force af_alg_alloc_tsgl() chaining
// 5. Trigger crypto operation -> scatterwalk hits stale end marker -> NULL deref
Detection Methods for CVE-2026-43043
Indicators of Compromise
- Kernel oops messages referencing sg_next, scatterwalk_start, or af_alg_* symbols in dmesg or /var/log/kern.log
- Unexpected system panics or reboots on hosts where untrusted local users have AF_ALG access
- Process crash traces involving sendmsg() against AF_ALG sockets followed by crypto operations
Detection Strategies
- Monitor kernel ring buffer for NULL pointer dereference traces containing af_alg_alloc_tsgl or scatterwalk frames
- Audit running kernel versions against the patched commits referenced on git.kernel.org to identify unpatched hosts
- Track auditd events for processes opening AF_ALG sockets in environments where this is uncommon
Monitoring Recommendations
- Forward kernel logs to a centralized logging or SIEM platform and alert on BUG: kernel NULL pointer dereference events
- Inventory Linux hosts and correlate kernel build versions with the upstream stable branches that contain the fix
- Establish baselines for AF_ALG socket usage and flag anomalous activity from non-cryptographic workloads
How to Mitigate CVE-2026-43043
Immediate Actions Required
- Apply the upstream kernel patch that adds the missing end-marker clearing in af_alg_alloc_tsgl() from your distribution's stable kernel update
- Reboot affected hosts after patching to load the fixed kernel image
- Restrict access to the AF_ALG interface on multi-tenant or shared systems until patches are deployed
Patch Information
The fix is distributed across multiple stable kernel branches. Reference commits include Kernel Commit - Security Fix 1, Kernel Commit - Security Fix 2, Kernel Commit - Security Update, Kernel Commit - Security Improvement, Kernel Commit - Bug Fix, Kernel Commit - Security Enhancement, Kernel Commit - Code Correction, and Kernel Commit - Security Revision. Track your distribution's security advisories for backported builds.
Workarounds
- Disable the algif_* kernel modules (algif_skcipher, algif_hash, algif_aead, algif_rng) where AF_ALG functionality is not required
- Use a kernel module blacklist to prevent loading of af_alg on hosts that do not need userspace crypto sockets
- Apply seccomp or LSM policies to restrict the socket() syscall with AF_ALG family for untrusted workloads
# Blacklist AF_ALG modules where the interface is unused
cat <<EOF | sudo tee /etc/modprobe.d/disable-af_alg.conf
blacklist algif_skcipher
blacklist algif_hash
blacklist algif_aead
blacklist algif_rng
blacklist af_alg
install af_alg /bin/true
EOF
# Verify the modules are not currently loaded
lsmod | grep -E 'algif_|af_alg'
# Confirm running kernel against patched stable releases
uname -r
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
