QwikSec

Security Database

CVE

CWE

Training

CVE-2026-28529

Published: Mar 25, 2026

Modified: May 11, 2026

PUBLISHED

Description

cryptodev-linux version 1.14 and prior contain a page reference handling flaw in the get_userbuf function of the /dev/crypto device driver that allows local users to trigger use-after-free conditions. Attackers with access to the /dev/crypto interface can repeatedly decrement reference counts of controlled pages to achieve local privilege escalation.

Vendor	Product	Versions
cryptodev-linux	cryptodev-linux	affected `0 - <= 1.14`

Weaknesses (CWE)

References

https://nasm.re/posts/cryptodev-linux-vuln/

technical-description

exploit

https://gist.github.com/n4sm/0fd2479e0c23e0fa2f192cd8fda45750

exploit

https://github.com/cryptodev-linux/cryptodev-linux/pull/104

patch

https://www.vulncheck.com/advisories/cryptodev-linux-get-userbuf-use-after-free-lpe

third-party-advisory

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.