CVE-2026-46019 Overview
CVE-2026-46019 is a memory leak vulnerability in the Linux kernel's Atmel AES cryptographic driver. The flaw resides in the atmel_aes_buff_cleanup() function within the crypto/atmel-aes subsystem. The cleanup routine releases only a single page of memory using free_page(), while the corresponding allocation in atmel_aes_buff_init() reserves four pages through __get_free_pages() with ATMEL_AES_BUFFER_ORDER. Each cleanup cycle leaks three pages of kernel memory. Over time, repeated module load and unload operations or driver reinitialization can exhaust system memory on devices using Atmel AES hardware acceleration.
Critical Impact
Repeated invocation of the Atmel AES driver cleanup path leaks three memory pages per cycle, leading to gradual kernel memory exhaustion on affected embedded and ARM-based Linux systems.
Affected Products
- Linux kernel branches that include the atmel-aes crypto driver prior to the fixes referenced in the upstream stable trees
- Embedded and SoC platforms using Atmel/Microchip AES hardware acceleration
- Distributions tracking stable kernel branches receiving the backported patches 230ad8a78fe6, 3fcfff4ed35f, 61516b4a5b26, 65b3589d39d0, and b63f1e2f0e31
Discovery Timeline
- 2026-05-27 - CVE-2026-46019 published to NVD
- 2026-05-27 - Last updated in NVD database
Technical Details for CVE-2026-46019
Vulnerability Analysis
The vulnerability is a classic memory leak [CWE-401] in the Atmel AES crypto driver. The atmel_aes_buff_init() function allocates a contiguous block of four pages using __get_free_pages(GFP_KERNEL, ATMEL_AES_BUFFER_ORDER), where ATMEL_AES_BUFFER_ORDER corresponds to an order-2 allocation. The companion teardown function atmel_aes_buff_cleanup() mistakenly calls free_page(), which releases only a single page. The remaining three pages stay reserved in the kernel page allocator but are unreachable.
The leak triggers each time the driver is unloaded, reprobed, or its buffers are reinitialized. On long-running systems, repeated probe and remove sequences accumulate unreclaimable kernel memory. Embedded devices with limited RAM are most exposed to operational degradation.
Root Cause
The root cause is an asymmetric allocation and free pair. The allocator uses the multi-page __get_free_pages() API with a non-zero order, while the deallocator uses free_page(), which is equivalent to free_pages(addr, 0). The order argument is silently dropped during cleanup, so the page allocator only marks the first page as free.
Attack Vector
This is a locally triggered reliability issue rather than a remote attack primitive. A local user or automated workload that can repeatedly invoke the affected code path, such as cycling the driver through module load and unload, will progressively consume kernel memory. The vulnerability does not directly enable code execution or privilege escalation. Sustained exploitation produces a denial-of-service condition through kernel memory exhaustion.
The fix replaces free_page() with free_pages(addr, ATMEL_AES_BUFFER_ORDER) so that all four pages are returned to the page allocator. See the upstream commits referenced below for the exact diff.
Detection Methods for CVE-2026-46019
Indicators of Compromise
- Steady growth in MemUnreclaimable or Slab counters in /proc/meminfo on systems using Atmel AES acceleration
- Increasing values in /proc/buddyinfo order-2 fragmentation without corresponding workload growth
- Repeated atmel_aes module load and unload events in dmesg or systemd journal logs
- Kernel allocation failures referencing atmel-aes in syslog under prolonged uptime
Detection Strategies
- Audit running kernel versions against the patched stable branches identified by the upstream commits 230ad8a78fe6, 3fcfff4ed35f, 61516b4a5b26, 65b3589d39d0, and b63f1e2f0e31
- Track per-process and kernel memory consumption trends on devices that use the atmel_aes driver, focusing on long-running deployments
- Correlate driver bind and unbind events from sysfs with subsequent memory usage deltas
Monitoring Recommendations
- Collect /proc/meminfo, /proc/slabinfo, and /proc/buddyinfo snapshots at fixed intervals on affected hardware
- Alert on sustained reduction of free memory on devices where workload patterns are stable
- Monitor uptime-adjusted memory baselines for embedded fleets running Atmel/Microchip SoCs
How to Mitigate CVE-2026-46019
Immediate Actions Required
- Identify all systems running the atmel_aes driver, particularly Microchip and Atmel SoC-based devices
- Apply the upstream kernel patch that replaces free_page() with free_pages(addr, ATMEL_AES_BUFFER_ORDER) in atmel_aes_buff_cleanup()
- Update to a stable kernel release containing one of the merged fix commits referenced in the NVD entry
- Schedule controlled reboots on long-uptime devices to reclaim previously leaked pages
Patch Information
The fix is available across multiple stable Linux kernel branches. Refer to the upstream commits: Kernel commit 230ad8a78fe6, Kernel commit 3fcfff4ed35f, Kernel commit 61516b4a5b26, Kernel commit 65b3589d39d0, and Kernel commit b63f1e2f0e31. Rebuild or pull updated vendor kernels from your distribution's stable channel.
Workarounds
- Disable the atmel_aes driver where hardware AES acceleration is not required, and rely on software crypto via the kernel crypto API
- Avoid repeated module load and unload cycles of atmel_aes on unpatched systems
- Reboot affected devices on a maintenance schedule to release accumulated leaked pages until a patched kernel is deployed
# Blacklist the atmel_aes module on unpatched systems where hardware AES is not required
echo "blacklist atmel_aes" | sudo tee /etc/modprobe.d/blacklist-atmel-aes.conf
sudo update-initramfs -u
# Verify driver is not loaded after reboot
lsmod | grep atmel_aes
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
