CVE-2026-43336 Overview
CVE-2026-43336 is an information disclosure vulnerability in the Linux kernel's lib/crypto/chacha implementation. The flaw exists because the local variable permuted_state is not zeroized before going out of scope. Since the ChaCha permutation is invertible, an attacker who recovers permuted_state from stack memory can mathematically reconstruct the original state and recover the ChaCha cryptographic key. The issue affects multiple Linux kernel branches, including 7.0 release candidates rc1 through rc6. Maintainers resolved the issue by explicitly zeroing the buffer before it leaves scope, aligning the routine with kernel best practices for handling cryptographic secrets, particularly those associated with the random number generator (RNG).
Critical Impact
Residual ChaCha key material may remain on the kernel stack after cryptographic operations, enabling key recovery through memory disclosure side channels.
Affected Products
- Linux Kernel (multiple stable branches, see vendor commits)
- Linux Kernel 7.0-rc1 through 7.0-rc6
- Distributions shipping unpatched lib/crypto/chacha implementations
Discovery Timeline
- 2026-05-08 - CVE-2026-43336 published to NVD
- 2026-05-15 - Last updated in NVD database
Technical Details for CVE-2026-43336
Vulnerability Analysis
The vulnerability resides in the ChaCha stream cipher implementation in lib/crypto/chacha. ChaCha generates keystream output by applying an invertible permutation to an internal state block that contains the secret key, nonce, counter, and constants. After the permutation completes, the routine stored the result in a local stack variable named permuted_state. Because the permutation is mathematically invertible, recovering permuted_state is equivalent to recovering the original input state, including the key material.
The kernel typically follows the practice of clearing sensitive stack buffers before scope exit, particularly for primitives feeding the kernel RNG. In this case, permuted_state was left in stack memory after the function returned, allowing the data to persist until overwritten by subsequent stack frames.
Root Cause
The root cause is missing zeroization of a cryptographically sensitive local variable [CWE-noinfo]. The ChaCha permutation function produced permuted_state and did not call memzero_explicit() or an equivalent barrier before returning. Standard memset calls are insufficient because compilers can elide them as dead stores, which is why the kernel uses explicit zeroization helpers.
Attack Vector
Exploitation requires an adversary to obtain a read primitive that exposes kernel stack contents. Candidate primitives include uninitialized-memory disclosure bugs, speculative execution side channels, or kernel info-leak vulnerabilities that read residual stack frames. An attacker who recovers the permuted_state bytes can invert the ChaCha permutation offline to obtain the original key and counter, breaking the confidentiality of any data encrypted with that key. The attack does not enable code execution or integrity violations on its own; it amplifies the impact of other memory disclosure vulnerabilities.
Verified exploitation code is not publicly available for this issue. Refer to the upstream commits such as Kernel Git Commit 066c760 and Kernel Git Commit e504682 for the precise code paths.
Detection Methods for CVE-2026-43336
Indicators of Compromise
- No specific runtime indicators of compromise exist. The flaw is a passive information leak triggered only when combined with a separate kernel memory disclosure primitive.
- Unexpected kernel oops or panics in chacha_* symbols may indicate exploitation attempts paired with memory corruption.
Detection Strategies
- Inventory Linux hosts by kernel version using configuration management data and compare against the fixed commit hashes listed in the kernel.org stable advisories.
- Audit loaded kernel modules and shipped vendor kernels for inclusion of the patched lib/crypto/chacha.c source.
- Correlate kernel info-leak CVEs with exposure of cryptographic subsystems to prioritize patching of systems running unpatched ChaCha code.
Monitoring Recommendations
- Monitor for abnormal access to /dev/random, /dev/urandom, and getrandom() syscalls from unprivileged processes attempting to profile RNG output.
- Alert on dmesg entries referencing kernel address leaks, KASAN findings, or stack info-disclosure traces.
- Track kernel package update compliance across the fleet and surface hosts running pre-patch versions.
How to Mitigate CVE-2026-43336
Immediate Actions Required
- Update the Linux kernel to a version containing the upstream zeroization patch on all affected systems.
- Prioritize remediation on hosts that also have outstanding kernel info-leak or speculative-execution mitigations pending.
- Re-key any long-lived secrets that may have been processed on unpatched kernels exposed to untrusted local users.
Patch Information
The fix explicitly zeroes permuted_state before the variable leaves scope in lib/crypto/chacha. Patches are available across multiple stable branches via the following commits: Kernel Git Commit 066c760, Kernel Git Commit 1933243, Kernel Git Commit 1d761e5, Kernel Git Commit 91999af, Kernel Git Commit b416a42, Kernel Git Commit bd62d9b, Kernel Git Commit e504682, and Kernel Git Commit e90ee96.
Workarounds
- No supported workaround exists short of applying the upstream patch. Disabling ChaCha is not practical because it underpins the kernel RNG and several network protocols.
- Restrict local access on multi-tenant systems and apply kernel hardening options such as init_on_free and init_on_alloc to reduce the window in which residual stack data is recoverable.
- Enable existing mitigations for known kernel info-leak primitives, including KASLR, SMAP, and unprivileged BPF restrictions.
# Verify running kernel and confirm patch level against vendor advisories
uname -r
# Debian/Ubuntu: install latest kernel and reboot
sudo apt-get update && sudo apt-get install --only-upgrade linux-image-generic
sudo reboot
# RHEL/Rocky/Alma: update kernel package
sudo dnf update kernel
sudo reboot
# Optional hardening: enable memory initialization on alloc/free via kernel cmdline
# Add: init_on_alloc=1 init_on_free=1
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
