Skip to main content
Meet us at Black Hat USA 2026— Las Vegas, August 1–6Book a Meeting
Mallory
Back to vulnerabilities
High

Linux kernel CAAM long HMAC key overflow

IdentifiersCVE-2026-43330CWE-125

CVE-2026-43330 is a Linux kernel vulnerability in the crypto CAAM subsystem's handling of HMAC keys longer than the hash block size. For oversized HMAC keys, the implementation copies the supplied key and hashes that copy into the effective key. The temporary buffer allocation needed to be rounded to DMA cache alignment to avoid corruption during hashing, but the vulnerable code performed the copy with kmemdup using the aligned allocation length rather than the original source length. As a result, the kernel could read past the end of the provided key buffer by aligned_len - keylen bytes. The associated hashing operation could also corrupt neighboring memory because of the alignment mismatch. The upstream fix replaces kmemdup with kmalloc followed by memcpy so that only the actual key length is copied while still allocating an appropriately aligned buffer.

Share:
For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial
ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation can lead to out-of-bounds kernel memory access and memory corruption in the CAAM crypto path. According to the provided CVSS data, the impact on confidentiality, integrity, and availability is high. In practical terms, a local attacker with low privileges may be able to trigger kernel memory corruption, potentially causing crashes, denial of service, exposure of adjacent kernel memory, or further compromise depending on the reachable code path and surrounding memory layout.

Mitigation

If you can’t patch tonight, do this now.

If immediate patching is not possible, reduce exposure by limiting untrusted local access to systems that use the vulnerable Linux kernel and CAAM crypto subsystem. Restrict low-privilege account access and avoid workloads that allow untrusted users or tenants to invoke affected HMAC operations through CAAM-backed kernel crypto paths. These are only partial mitigations; the authoritative mitigation is to install a fixed kernel.

Remediation

Patch, then assume compromise.

Apply a kernel update containing the upstream CAAM fix for CVE-2026-43330. The remediation described in the provided content is to replace the vulnerable kmemdup-based copy with kmalloc followed by memcpy, ensuring the temporary key buffer is allocated with the required DMA cache alignment while copying only keylen bytes from the source buffer. Vendor-fixed packages are available in SUSE and Red Hat advisories referenced in the content.
PUBLIC EXPLOITS

Exploits

No public exploits tracked yet. Mallory keeps watching.

VALID 0 / 0 TOTALView more in app

No public exploit code observed for this vulnerability.

EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType
LinuxLinux Kerneloperating_system
Rocky LinuxKerneloperating_system

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

7 sources tracked across advisories and community write-ups. News coverage will land here when it surfaces.

7 SOURCESView more in app

No news coverage yet. Advisories and community discussion only.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.
Start free trial
Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware

Malware families riding this exploit, with evidence and IOCs.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity4

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES
MITRE CVE
cve.org · CVE-2026-43330
NVD
nvd.nist.gov/vuln/detail/CVE-2026-43330
MITRE CWE · CWE-125
cwe.mitre.org
Patch
git.kernel.org/stable/c/31022cfde5235c45fa765f0aabeff5f0652852f2
Patch
git.kernel.org/stable/c/80688afb9c35b3934ce2d6be9973758915e2e0ef
Patch
git.kernel.org/stable/c/aa545df011338df13f0833fc1fabcb15c0521959
Patch
git.kernel.org/stable/c/c2fb4984fe09fc176fe4c12d5e3edf626df6511d
Patch
git.kernel.org/stable/c/cebc5ebd958346195b77f42d0cd5141b4e448fae