CVE-2026-43493 Overview
CVE-2026-43493 is a Linux kernel vulnerability in the pcrypt parallel crypto subsystem. The flaw involves incorrect handling of MAY_BACKLOG requests, which can return EBUSY instead of the expected status codes. The kernel's pcrypt module fails to filter out spurious EINPROGRESS notifications when processing these requests, leading to unpredictable behavior in cryptographic operations.
The issue affects multiple stable Linux kernel branches and has been addressed through coordinated patches in the upstream kernel tree.
Critical Impact
Improper handling of MAY_BACKLOG cryptographic requests in the Linux kernel's pcrypt subsystem can result in incorrect crypto operation state tracking, potentially affecting system stability and integrity of cryptographic workloads.
Affected Products
- Linux kernel (multiple stable branches as referenced in upstream commits)
- Systems utilizing the pcrypt parallel crypto template
- Linux distributions shipping affected kernel versions prior to the fix
Discovery Timeline
- 2026-05-19 - CVE-2026-43493 published to NVD
- 2026-05-20 - Last updated in NVD database
Technical Details for CVE-2026-43493
Vulnerability Analysis
The vulnerability resides in the Linux kernel's pcrypt (parallel crypto) module. This subsystem parallelizes symmetric crypto operations across multiple CPU cores using padata. The flaw stems from improper handling of requests flagged with CRYPTO_TFM_REQ_MAY_BACKLOG.
When a MAY_BACKLOG request is submitted to an underlying crypto algorithm, the algorithm can return -EBUSY to indicate the request was queued in the backlog. The original pcrypt implementation did not correctly distinguish this return value from a true error condition. Additionally, the completion path can emit EINPROGRESS notifications that must be filtered out before the final completion callback fires.
Failure to handle these states correctly leads to inconsistent request lifecycle tracking. Callers may receive incorrect completion status, double-completion events, or wedged crypto operations that never finalize.
Root Cause
The root cause is missing logic in the pcrypt request submission and completion path. The code did not check for -EBUSY returns from MAY_BACKLOG submissions and did not suppress intermediate EINPROGRESS notifications. This represents a state-handling defect [CWE-372] in the kernel crypto API integration layer.
Attack Vector
The vulnerability is triggered through normal kernel crypto API consumers that submit MAY_BACKLOG requests under load. Any kernel subsystem invoking pcrypt-wrapped algorithms during high crypto throughput can encounter the defective state path. Exploitation prerequisites and impact depend on which kernel consumers route through pcrypt on the target system.
The vulnerability manifests in the pcrypt request handling logic. See the upstream commits referenced below for the precise patch diffs and technical implementation details.
Detection Methods for CVE-2026-43493
Indicators of Compromise
- Kernel log entries indicating stalled or unresponsive crypto operations on systems using pcrypt
- Workloads reporting unexpected -EBUSY returns from kernel crypto API consumers
- Anomalous behavior in subsystems such as IPsec, dm-crypt, or fscrypt when pcrypt templates are in use
Detection Strategies
- Inventory running kernel versions across the fleet and compare against the patched commit hashes (46271895ddfb, 77d55bc8675e, 915b692e6cb7, 9f1cbca178c0, eb34e243df57)
- Audit /proc/crypto output for active pcrypt instances on production hosts
- Correlate kernel crash dumps and dmesg output for crypto-related state warnings
Monitoring Recommendations
- Track kernel package versions through configuration management and vulnerability scanners
- Monitor kernel telemetry for crypto subsystem errors and unexpected request stalls
- Subscribe to the Linux kernel stable tree for downstream fix backports relevant to your distribution
How to Mitigate CVE-2026-43493
Immediate Actions Required
- Identify all Linux hosts running affected kernel versions and prioritize patching for systems that use pcrypt-backed crypto workloads
- Apply the latest stable kernel updates from your Linux distribution vendor that incorporate the upstream fix
- Reboot patched systems to ensure the corrected kernel is active
Patch Information
The fix has been merged into the upstream Linux kernel through the following commits:
- Kernel commit 46271895ddfb
- Kernel commit 77d55bc8675e
- Kernel commit 915b692e6cb7
- Kernel commit 9f1cbca178c0
- Kernel commit eb34e243df57
The patches add explicit handling for -EBUSY from MAY_BACKLOG requests and filter EINPROGRESS notifications in the pcrypt completion path.
Workarounds
- Where patching is delayed, evaluate whether pcrypt templates can be avoided by configuring crypto consumers to use non-parallelized algorithm variants
- Reduce workload pressure on pcrypt-backed algorithms to minimize triggering of the backlog code path
- Coordinate with your Linux distribution support channel for backported patches if a full kernel upgrade is not feasible
# Check if pcrypt is active on the system
cat /proc/crypto | grep -A2 pcrypt
# Verify current kernel version against vendor advisories
uname -r
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
