| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <2026021808-CVE-2026-23229-9dfe@gregkh> Date: Wed, 18 Feb 2026 15:54:18 +0100 From: Greg Kroah-Hartman <gregkh@...uxfoundation.org> To: linux-cve-announce@...r.kernel.org Cc: Greg Kroah-Hartman <gregkh@...nel.org> Subject: CVE-2026-23229: crypto: virtio - Add spinlock protection with virtqueue notification From: Greg Kroah-Hartman <gregkh@...nel.org> Description =========== In the Linux kernel, the following vulnerability has been resolved: crypto: virtio - Add spinlock protection with virtqueue notification When VM boots with one virtio-crypto PCI device and builtin backend, run openssl benchmark command with multiple processes, such as openssl speed -evp aes-128-cbc -engine afalg -seconds 10 -multi 32 openssl processes will hangup and there is error reported like this: virtio_crypto virtio0: dataq.0:id 3 is not a head! It seems that the data virtqueue need protection when it is handled for virtio done notification. If the spinlock protection is added in virtcrypto_done_task(), openssl benchmark with multiple processes works well. The Linux kernel CVE team has assigned CVE-2026-23229 to this issue. Affected and fixed versions =========================== Fixed in 6.6.125 with commit d6f0d586808689963e58fd739bed626ff5013b24 Fixed in 6.12.72 with commit c0a0ded3bb7fd45f720faa48449a930153257d3a Fixed in 6.18.11 with commit e69a7b0a71b6561b3b6459f1fded8d589f2e8ac2 Fixed in 6.19.1 with commit 49c57c6c108931a914ed94e3c0ddb974008260a3 Please see https://www.kernel.org for a full list of currently supported kernel versions by the kernel community. Unaffected versions might change over time as fixes are backported to older supported kernel versions. The official CVE entry at https://cve.org/CVERecord/?id=CVE-2026-23229 will be updated if fixes are backported, please check that for the most up to date information about this issue. Affected files ============== The file(s) affected by this issue are: drivers/crypto/virtio/virtio_crypto_core.c Mitigation ========== The Linux kernel CVE team recommends that you update to the latest stable kernel version for this, and many other bugfixes. Individual changes are never tested alone, but rather are part of a larger kernel release. Cherry-picking individual commits is not recommended or supported by the Linux kernel community at all. If however, updating to the latest release is impossible, the individual changes to resolve this issue can be found at these commits: https://git.kernel.org/stable/c/d6f0d586808689963e58fd739bed626ff5013b24 https://git.kernel.org/stable/c/c0a0ded3bb7fd45f720faa48449a930153257d3a https://git.kernel.org/stable/c/e69a7b0a71b6561b3b6459f1fded8d589f2e8ac2 https://git.kernel.org/stable/c/49c57c6c108931a914ed94e3c0ddb974008260a3 https://git.kernel.org/stable/c/b505047ffc8057555900d2d3a005d033e6967382
Powered by blists - more mailing lists