CVE-2026-43492

In the Linux kernel, the following vulnerability has been resolved:

lib/crypto: mpi: Fix integer underflow in mpi read raw from sgl()

Yiming reports an integer underflow in mpi read raw from sgl() when subtracting "lzeros" from the unsigned "nbytes".

For this to happen, the scatterlist "sgl" needs to occupy more bytes than the "nbytes" parameter and the first "nbytes + 1" bytes of the scatterlist must be zero. Under these conditions, the while loop iterating over the scatterlist will count more zeroes than "nbytes", subtract the number of zeroes from "nbytes" and cause the underflow.

When commit 2d4d1eea540b ("lib/mpi: Add mpi sgl helpers") originally introduced the bug, it couldn't be triggered because all callers of mpi read raw from sgl() passed a scatterlist whose length was equal to "nbytes".

However since commit 63ba4d67594a ("KEYS: asymmetric: Use new crypto interface without scatterlists"), the underflow can now actually be triggered. When invoking a KEYCTL PKEY ENCRYPT system call with a larger "out len" than "in len" and filling the "in" buffer with zeroes, crypto akcipher sync prep() will create an all-zero scatterlist used for both the "src" and "dst" member of struct akcipher request and thereby fulfil the conditions to trigger the bug:

sys keyctl() keyctl pkey e d s() asymmetric key eds op() software key eds op() crypto akcipher sync encrypt() crypto akcipher sync prep() crypto akcipher encrypt() rsa enc() mpi read raw from sgl()

To the user this will be visible as a DoS as the kernel spins forever, causing soft lockup splats as a side effect.

Fix it.