PT-2026-2874 · Linux+2 · Linux Kernel+2

Published

2025-01-01

·

Updated

2026-05-11

·

CVE-2025-71113

CVSS v3.1

5.5

Medium

VectorAV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Name of the Vulnerable Software and Affected Versions Linux kernel (affected versions not specified)
Description The Linux kernel's crypto subsystem contains an issue where memory allocated via sock kmalloc() was not zero-initialized. This affected several crypto user API contexts and requests, relying on callers to explicitly set fields. The lack of initialization led to the use of uninitialized data in error paths and potential issues with newly added fields, such as the inflight variable introduced in commit 67b164a871af. Specifically, the af alg alloc areq() function incorrectly returned -EBUSY due to the inflight variable containing garbage values. Zero-initializing the allocated memory ensures all fields start in a known state, preventing random failures caused by uninitialized data.
Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Exploit

Use of Uninitialized Resource

Weakness Enumeration

CWE-908

Related Identifiers

AZL-74612
CVE-2025-71113
ECHO-D911-0C5A-274E
MGASA-2026-0017
MGASA-2026-0018
OESA-2026-1303
OESA-2026-1304
OESA-2026-1305
OPENSUSE-SU-2026:20287-1
SUSE-SU-2026:0962-1
SUSE-SU-2026:1041-1
SUSE-SU-2026:1078-1
SUSE-SU-2026:1081-1
SUSE-SU-2026:20555-1
SUSE-SU-2026:20599-1
SUSE-SU-2026:20615-1
SUSE-SU-2026:20667-1
SUSE-SU-2026:20720-1
SUSE-SU-2026:20845-1
SUSE-SU-2026:20876-1
USN-8096-1
USN-8096-2
USN-8096-3
USN-8096-4
USN-8096-5
USN-8116-1
USN-8141-1
USN-8163-1
USN-8163-2
USN-8177-1
USN-8177-2
USN-8179-1
USN-8179-2
USN-8179-3
USN-8179-4
USN-8183-1
USN-8183-2
USN-8184-1
USN-8185-1
USN-8185-2
USN-8203-1
USN-8204-1
USN-8243-1
USN-8245-1
USN-8257-1
USN-8258-1
USN-8260-1
USN-8261-1
USN-8265-1

Affected Products

Linuxmint
Linux Kernel
Ubuntu