{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-23222", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2026-01-13T15:37:45.987Z", "datePublished": "2026-02-18T14:53:25.504Z", "dateUpdated": "2026-05-11T22:02:41.109Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2026-05-11T22:02:41.109Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncrypto: omap - Allocate OMAP_CRYPTO_FORCE_COPY scatterlists correctly\n\nThe existing allocation of scatterlists in omap_crypto_copy_sg_lists()\nwas allocating an array of scatterlist pointers, not scatterlist objects,\nresulting in a 4x too small allocation.\n\nUse sizeof(*new_sg) to get the correct object size."}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.8, "baseSeverity": "HIGH"}}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/crypto/omap-crypto.c"], "versions": [{"version": "74ed87e7e7f7197137164738dd0610ccd5ec5ed1", "lessThan": "953c81941b0ad373674656b8767c00234ebf17ac", "status": "affected", "versionType": "git"}, {"version": "74ed87e7e7f7197137164738dd0610ccd5ec5ed1", "lessThan": "31aff96a41ae6f1f1687c065607875a27c364da8", "status": "affected", "versionType": "git"}, {"version": "74ed87e7e7f7197137164738dd0610ccd5ec5ed1", "lessThan": "79f95b51d4278044013672c27519ae88d07013d8", "status": "affected", "versionType": "git"}, {"version": "74ed87e7e7f7197137164738dd0610ccd5ec5ed1", "lessThan": "6edf8df4bd29f7bfd245b67b2c31d905f1cfc14b", "status": "affected", "versionType": "git"}, {"version": "74ed87e7e7f7197137164738dd0610ccd5ec5ed1", "lessThan": "c184341920ed78b6466360ed7b45b8922586c38f", "status": "affected", "versionType": "git"}, {"version": "74ed87e7e7f7197137164738dd0610ccd5ec5ed1", "lessThan": "2ed27b5a1174351148c3adbfc0cd86d54072ba2e", "status": "affected", "versionType": "git"}, {"version": "74ed87e7e7f7197137164738dd0610ccd5ec5ed1", "lessThan": "d1836c628cb72734eb5f7dfd4c996a9c18bba3ad", "status": "affected", "versionType": "git"}, {"version": "74ed87e7e7f7197137164738dd0610ccd5ec5ed1", "lessThan": "1562b1fb7e17c1b3addb15e125c718b2be7f5512", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/crypto/omap-crypto.c"], "versions": [{"version": "4.13", "status": "affected"}, {"version": "0", "lessThan": "4.13", "status": "unaffected", "versionType": "semver"}, {"version": "5.10.251", "lessThanOrEqual": "5.10.*", "status": "unaffected", "versionType": "semver"}, {"version": "5.15.201", "lessThanOrEqual": "5.15.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.1.164", "lessThanOrEqual": "6.1.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.6.125", "lessThanOrEqual": "6.6.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.12.72", "lessThanOrEqual": "6.12.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.18.11", "lessThanOrEqual": "6.18.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.19.1", "lessThanOrEqual": "6.19.*", "status": "unaffected", "versionType": "semver"}, {"version": "7.0", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.13", "versionEndExcluding": "5.10.251"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.13", "versionEndExcluding": "5.15.201"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.13", "versionEndExcluding": "6.1.164"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.13", "versionEndExcluding": "6.6.125"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.13", "versionEndExcluding": "6.12.72"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.13", "versionEndExcluding": "6.18.11"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.13", "versionEndExcluding": "6.19.1"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.13", "versionEndExcluding": "7.0"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/953c81941b0ad373674656b8767c00234ebf17ac"}, {"url": "https://git.kernel.org/stable/c/31aff96a41ae6f1f1687c065607875a27c364da8"}, {"url": "https://git.kernel.org/stable/c/79f95b51d4278044013672c27519ae88d07013d8"}, {"url": "https://git.kernel.org/stable/c/6edf8df4bd29f7bfd245b67b2c31d905f1cfc14b"}, {"url": "https://git.kernel.org/stable/c/c184341920ed78b6466360ed7b45b8922586c38f"}, {"url": "https://git.kernel.org/stable/c/2ed27b5a1174351148c3adbfc0cd86d54072ba2e"}, {"url": "https://git.kernel.org/stable/c/d1836c628cb72734eb5f7dfd4c996a9c18bba3ad"}, {"url": "https://git.kernel.org/stable/c/1562b1fb7e17c1b3addb15e125c718b2be7f5512"}], "title": "crypto: omap - Allocate OMAP_CRYPTO_FORCE_COPY scatterlists correctly", "x_generator": {"engine": "bippy-1.2.0"}}}}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "888104C0-CDC0-435D-BADD-1C2AEC9AEC77", "versionEndExcluding": "5.10.251", "versionStartIncluding": "4.13", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "600A89ED-86F2-48D8-BB7C-5EE7A8832FC5", "versionEndExcluding": "5.15.201", "versionStartIncluding": "5.11", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "6892F74B-3F14-4500-9652-24A2ECB04144", "versionEndExcluding": "6.1.164", "versionStartIncluding": "5.16", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "74B70CDE-7B74-4280-BBCC-8889B8F28466", "versionEndExcluding": "6.6.125", "versionStartIncluding": "6.2", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "F1A7E514-FB3C-4B6B-8046-07D5A8F04644", "versionEndExcluding": "6.12.72", "versionStartIncluding": "6.7", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "7099A9EC-3D54-4424-BF01-7224EF88C79C", "versionEndExcluding": "6.18.11", "versionStartIncluding": "6.13", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "EE543C0D-A06B-414F-A403-CB1E088F261E", "versionEndExcluding": "6.19.1", "versionStartIncluding": "6.19", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncrypto: omap - Allocate OMAP_CRYPTO_FORCE_COPY scatterlists correctly\n\nThe existing allocation of scatterlists in omap_crypto_copy_sg_lists()\nwas allocating an array of scatterlist pointers, not scatterlist objects,\nresulting in a 4x too small allocation.\n\nUse sizeof(*new_sg) to get the correct object size."}, {"lang": "es", "value": "En el kernel de Linux, la siguiente vulnerabilidad ha sido resuelta:\n\ncrypto: omap - Asignar correctamente las scatterlists OMAP_CRYPTO_FORCE_COPY\n\nLa asignaci\u00f3n existente de scatterlists en omap_crypto_copy_sg_lists() estaba asignando un array de punteros a scatterlist, no objetos scatterlist, lo que resultaba en una asignaci\u00f3n 4 veces demasiado peque\u00f1a.\n\nUsar sizeof(*new_sg) para obtener el tama\u00f1o de objeto correcto."}], "id": "CVE-2026-23222", "lastModified": "2026-04-02T15:16:23.297", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 5.9, "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-02-18T16:22:31.920", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/1562b1fb7e17c1b3addb15e125c718b2be7f5512"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/2ed27b5a1174351148c3adbfc0cd86d54072ba2e"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/31aff96a41ae6f1f1687c065607875a27c364da8"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/6edf8df4bd29f7bfd245b67b2c31d905f1cfc14b"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/79f95b51d4278044013672c27519ae88d07013d8"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/953c81941b0ad373674656b8767c00234ebf17ac"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/c184341920ed78b6466360ed7b45b8922586c38f"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/d1836c628cb72734eb5f7dfd4c996a9c18bba3ad"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"bugzilla": {"description": "kernel: crypto: omap - Allocate OMAP_CRYPTO_FORCE_COPY scatterlists correctly", "id": "2440665", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2440665"}, "csaw": false, "details": ["No description is available for this CVE."], "name": "CVE-2026-23222", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2026-02-18T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-23222\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-23222\nhttps://lore.kernel.org/linux-cve-announce/2026021806-CVE-2026-23222-3958@gregkh/T"]}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[1da177e4c3f41524e886b7f1b8a0c1fc7321cac2,6edf8df4bd29f7bfd245b67b2c31d905f1cfc14b)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[1da177e4c3f41524e886b7f1b8a0c1fc7321cac2,c184341920ed78b6466360ed7b45b8922586c38f)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[1da177e4c3f41524e886b7f1b8a0c1fc7321cac2,2ed27b5a1174351148c3adbfc0cd86d54072ba2e)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[1da177e4c3f41524e886b7f1b8a0c1fc7321cac2,d1836c628cb72734eb5f7dfd4c996a9c18bba3ad)"}}], "enrichment": {"confidence": 99.0, "confidence_source": "inferred", "scores": [{"score": 99.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Linux", "source": "cna", "vendor": "Linux"}, "product": "linux_kernel", "vendor": "linux"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.6.125,6.7.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.12.72,6.13.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.18.11,6.19.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.19.1,6.20.0)"}}], "enrichment": {"confidence": 99.0, "confidence_source": "inferred", "scores": [{"score": 99.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Linux", "source": "cna", "vendor": "Linux"}, "product": "linux_kernel", "vendor": "linux"}], "analysis": {"en": {"generated_at": "2026-04-15T18:13:32.321839+00:00", "value": {"mitigation_remediation": ["Upgrade to a kernel version that includes the patch correcting the scatterlist allocation; reference the commit logs linked in the advisory.", "If using a custom kernel module that relies on the OMAP cryptographic driver, rebuild the module against the patched kernel headers to ensure compatibility.", "As a temporary measure, prevent untrusted code from accessing the OMAP cryptographic device by revoking appropriate permissions (e.g., setting device permissions to root\u2011only or configuring SELinux/AppArmor profiles) or disable the OMAP crypto driver if it is not required."], "summary": {"action": "Update Kernel", "impact": "Memory Corruption"}, "threat_synthesis": {"affected_systems": "Linux kernel encryption drivers employing the OMAP_CRYPTO_FORCE_COPY feature are affected. All kernel versions that include the buggy omap_crypto_copy_sg_lists() implementation are vulnerable; the patch is present in kernel releases newer than the commit referenced in the advisory. Specific vendor or product versions are not enumerated beyond the Linux kernel as a whole.", "description_and_impact": "The vulnerability resides in the Linux kernel\u2019s OMAP cryptographic driver, where an incorrect allocation size for scatterlists can lead to memory corruption. The existing allocation of scatterlists in omap_crypto_copy_sg_lists() was allocating an array of scatterlist pointers, not scatterlist objects, resulting in a 4x too small allocation. Use of an incorrect allocation size results in out\u2011of\u2011bounds writes when the driver populates the scatterlist array, potentially overwriting arbitrary kernel memory and enabling arbitrary code execution within kernel mode.", "risk_and_exploitability": "The CVSS score of 7.8 denotes a high severity. EPSS less than 1% indicates that the likelihood of exploitation is very low at the time of this analysis, and the vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog. The likely attack vector is a local privilege escalation or an attacker with sufficient access to the OMAP crypto device, since the flaw is triggered during driver operations. Exploitation would require influence over driver input to trigger the out\u2011of\u2011bounds write and is thus not trivially exploitable by remote actors."}}}}, "created": "2026-02-19T10:11:49.363189+00:00", "updated": "2026-04-15T18:15:10.856493+00:00", "vendors": ["linux", "linux$PRODUCT$linux_kernel"]}