CVE-2026-52972
HIGH 7In the Linux kernel, the following vulnerability has been resolved: crypto: af_alg - Cap AEAD AD length to 0x80000000 In order to prevent arithmetic overflows when checking the TX buffer size, cap the associated data length to 0x80000000.
ELEVATED IMPACT
Severe if exploited (CVSS 7), but no known exploitation and low modeled probability. Patch on a normal cadence.
Exploitation likelihood
0.1%chance of exploitation in 30 days · 4th percentile
○ In CISA KEV
○ Public exploit / PoC
Impact if exploited
7CVSS 3.1 · HIGH
- ConfidentialityHigh
- IntegrityHigh
- AvailabilityHigh
What an attacker needs
- ⚠Access: Requires local access to the host
- ⚠Privileges: Requires a low-privilege account
- ✓User interaction: No user interaction needed
- ⚠Complexity: Needs a race window or specific setup
✓ lowers the bar for an attacker · ⚠ raises it
Affected
Products Linux Red Hat Enterprise Linux 10 Red Hat Enterprise Linux 8 Red Hat Enterprise Linux 9 Red Hat Enterprise Linux 6 Red Hat Enterprise Linux 7
Weakness (CWE)
- CWE-190: Integer overflow
CVSS vector
CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
References
Technical & other
- https://git.kernel.org/stable/c/f8a5203596797f394ff3f9aa4005597a92249802
- https://git.kernel.org/stable/c/a9f68d9ed38dd6e5a6c6d75b03d25c1c133e321d
- https://git.kernel.org/stable/c/a4fe4eb580bbc7439f649a496d4cf38415a4021c
- https://git.kernel.org/stable/c/e4c4a5074532eaaa14951994a3aad0d479aa7431
- https://git.kernel.org/stable/c/265ac26d1c5e17b34d497cbda1f754a1ec8552bc
- https://git.kernel.org/stable/c/a1c5672faf8e93e38c2deac3979cc767ca5cf918
- https://git.kernel.org/stable/c/97948906dc8e0ea84775e03e35b60a2063c70193
- https://git.kernel.org/stable/c/e4c06479d7059888adf2f22bc1ebcf053bf691a2
- https://access.redhat.com/security/cve/CVE-2026-52972
- https://bugzilla.redhat.com/show_bug.cgi?id=2492364
- https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-52972.json