CVE-2025-71131

Summary

In the Linux kernel, the following vulnerability has been resolved:

crypto: seqiv - Do not use req->iv after crypto_aead_encrypt

As soon as crypto_aead_encrypt is called, the underlying request may be freed by an asynchronous completion. Thus dereferencing req->iv after it returns is invalid.

Instead of checking req->iv against info, create a new variable unaligned_info and use it for that purpose instead.

Affected Software

VendorProductVersion RangeStatus
LinuxLinux0a270321dbf948963aeb0e8382fe17d2c2eb3771 < 18202537856e0fae079fed2c9308780bcff2bb9daffected
LinuxLinux0a270321dbf948963aeb0e8382fe17d2c2eb3771 < baf0e2d1e03ddb04781dfe7f22a654d3611f69b2affected
LinuxLinux0a270321dbf948963aeb0e8382fe17d2c2eb3771 < 50f196d2bbaee4ab2494bb1b0d294deba292951aaffected
LinuxLinux0a270321dbf948963aeb0e8382fe17d2c2eb3771 < 0279978adec6f1296af66b642cce641c6580be46affected
LinuxLinux0a270321dbf948963aeb0e8382fe17d2c2eb3771 < ccbb96434d88e32358894c879457b33f7508e798affected
LinuxLinux0a270321dbf948963aeb0e8382fe17d2c2eb3771 < 5476f7f8a311236604b78fcc5b2a63b3a61b0169affected
LinuxLinux0a270321dbf948963aeb0e8382fe17d2c2eb3771 < 50fdb78b7c0bcc550910ef69c0984e751cac72faaffected
LinuxLinux2.6.25affected
LinuxLinux0 < 2.6.25unaffected
LinuxLinux5.10.248 <= 5.10.*unaffected
LinuxLinux5.15.198 <= 5.15.*unaffected
LinuxLinux6.1.160 <= 6.1.*unaffected
LinuxLinux6.6.120 <= 6.6.*unaffected
LinuxLinux6.12.64 <= 6.12.*unaffected
LinuxLinux6.18.4 <= 6.18.*unaffected
LinuxLinux6.19 <= *unaffected

Weaknesses

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References