CVE-2026-53055
CriticalCVSS 9.8Exploitation Probability (EPSS)
Low risk35th percentile — higher than 35% of all known CVEs
Summary
In the Linux kernel's hisilicon/sec2 crypto driver, a use-after-free vulnerability was found. Under heavy system load, hardware may complete packet processing and free the request memory (req) before the transmission function finishes, causing an error. The fix replaces the req pointer with the qp_ctx structure, which persists throughout the packet sending process.
Risk Assessment
This vulnerability could cause a kernel panic or potentially allow arbitrary code execution in kernel context, posing a serious risk to system stability and security.
Recommendation
Immediately update the Linux kernel to a version containing the fix (commit in Linus' tree or a distribution backport). A system reboot is required after the update.
Original NVD description (English source)
In the Linux kernel, the following vulnerability has been resolved: crypto: hisilicon/sec2 - prevent req used-after-free for sec During packet transmission, if the system is under heavy load, the hardware might complete processing the packet and free the request memory (req) before the transmission function finishes. If the software subsequently accesses this req, a use-after-free error will occur. The qp_ctx memory exists throughout the packet sending process, so replace the req with the qp_ctx.

