CVE-2026-43493 · In the Linux kernel, the following vulnerability has been resolved: crypto: pcrypt - Fix handling of MAY_BACKLOG requests MAY_BACKLOG requ

01 · The Real Story

This is closer to a jammed conveyor belt in the crypto engine than an open front door

pcrypt is the Linux kernel's parallel crypto wrapper, used to run crypto work in kernel threads. The fix for CVE-2026-43493 corrects how MAY_BACKLOG async AEAD requests handle -EBUSY and stray -EINPROGRESS callbacks; without it, request completion state can be mishandled. The bug is in crypto/pcrypt.c, was reported by Yiming Qian, and upstream fixed it in commit 915b692e6cb723aac658c25eb82c58fd81235110, with backports flowing into stable branches and distro kernels.

The vendor's 9.8 / AV:N / PR:N label does not match how this lands in enterprise reality. pcrypt is not a network service, the vulnerable path depends on CONFIG_CRYPTO_PCRYPT plus an async AEAD workload that actually hits MAY_BACKLOG, and public evidence so far points to availability/stability fallout rather than straightforward remote code execution. Ubuntu tags it *Medium* and SUSE rescored it as a local, availability-heavy issue, which is much closer to the truth.

"This is a kernel bookkeeping bug with narrow reachability, not a real-world 9.8 remote takeover."

02 · The Attack Path

4 steps from start to impact.

STEP 01

Get execution on the host or a path into kernel crypto

An attacker first needs a way to run code on the Linux system or to drive a reachable application/kernel subsystem that actually routes attacker-controlled async AEAD work into the kernel Crypto API. There is no public evidence that the vulnerable path is directly exposed as a pre-auth network listener. No public weaponized tool or PoC was found during review.

Conditions required:

Local code execution, container foothold, or a reachable service that exercises kernel async AEAD
CONFIG_CRYPTO_PCRYPT present and the code path actually in use

Where this breaks in practice:

Most enterprise hosts do not expose pcrypt directly to the network
Many systems never load or invoke pcrypt at all

Detection/coverage: Commodity vuln scanners will flag by kernel package/CVE only; they generally do not verify whether pcrypt is enabled, loaded, or reachable in runtime.

STEP 02

Force the MAY_BACKLOG path under queue pressure

The attacker then needs to generate async AEAD requests that can legitimately return -EBUSY when MAY_BACKLOG is set. This is a specific scheduler/backlog condition in the crypto worker path, not a generic syscall that trivially triggers on demand from every host profile.

Conditions required:

Async AEAD operations are used
Backlog behavior is reachable under workload conditions

Where this breaks in practice:

Requires a fairly specific traffic shape and kernel execution path
Modern deployments may use user-space TLS/crypto stacks that never touch this path

Detection/coverage: No widely deployed network signature exists for this condition; high-fidelity detection would come from kernel tracing/eBPF around crypto_aead_encrypt, crypto_aead_decrypt, and unusual EBUSY/EINPROGRESS callback patterns.

STEP 03

Exploit incorrect completion/error handling

Before the fix, pcrypt could mishandle -EBUSY and process -EINPROGRESS notifications incorrectly. That can corrupt request state bookkeeping and break crypto operation completion semantics, with the most credible impact being service instability or kernel-side malfunction rather than clean code execution.

Conditions required:

Vulnerable kernel build
The exact pcrypt async AEAD branch is hit repeatedly

Where this breaks in practice:

Public advisories do not document a privilege-escalation or RCE chain
Impact appears to be operational correctness/availability, not attacker-controlled memory corruption with a published exploit path

Detection/coverage: Kernel crash logs, soft lockups, and anomalous crypto/request failures are the likely observables; there is no mature exposure scanner for runtime exploitability here.

STEP 04

Turn it into meaningful impact

If the attacker can sustain the condition, the realistic end state is denial of service or destabilization of the host or of applications depending on that crypto path. That is still worth fixing, especially on shared or high-throughput Linux systems, but it is far from the vendor's implied Internet-wide unauthenticated host compromise.

Conditions required:

Business-critical workloads depend on the affected crypto path
The attacker can keep hitting the vulnerable request pattern

Where this breaks in practice:

Blast radius is usually the local host or workload using the path
No in-the-wild exploitation, KEV listing, or public exploit kit currently amplifies risk

Detection/coverage: EDR will not understand this bug directly; SIEM visibility comes from kernel logs, crash telemetry, and host performance anomalies.

03 · Intelligence Metadata

The supporting signals.

In-the-wild status	No current exploitation signal. CISA KEV does not list `CVE-2026-43493`, and I found no authoritative public reporting of active campaigns.
Public PoC / tooling	None found. No public GitHub/Exploit-DB PoC or named exploit tool surfaced in review; the public record is patch-centric.
EPSS	Very low. Docker Scout surfaces FIRST EPSS as `0.00062` with percentile `0.194` (~19.4th percentile), consistent with weak exploitation interest.
KEV status	Not KEV-listed as of the reviewed CISA catalog; no added date or federal due date exists.
Vendor CVSS vs reality	Vendor says `9.8 / AV:N / PR:N`; SUSE says `5.5 / AV:L / PR:L / A:H`. The distro-side local/availability framing matches the actual attack chain much better than the CNA's pre-auth network framing.
Affected scope	Affects the Linux kernel `pcrypt` parallel crypto engine path after `Fixes: 5a1436beec57` according to the upstream patch. Practical exposure exists only where `CONFIG_CRYPTO_PCRYPT` is present and async AEAD workloads actually hit `MAY_BACKLOG`.
Fixed versions	Upstream fix is commit `915b692e6cb723aac658c25eb82c58fd81235110`. Debian shows fixes at `6.12.86-1` and `7.0.4-1`; stable review traffic shows inclusion for `5.15.209-rc1`, `6.1.175-rc1`, `6.6.140-rc1`, and `6.12.86-rc1`.
Scanning / exposure data	Not Internet-fingerprintable. This is a kernel module/configuration/runtime path, not a bannered daemon, so Shodan/Censys-style external counting is largely irrelevant; reachability must be judged from host role and kernel config.
Disclosure	Published `2026-05-19`; NVD shows last modification `2026-06-01` and references multiple stable backports.
Reporter / ecosystem posture	Reported by Yiming Qian in the upstream patch. Ubuntu currently tags the issue Medium and SUSE marks overall severity moderate, both of which argue strongly against emergency-tier handling.

04 · The Call

noisgate verdict.

Final Verdict

↓ DOWNGRADED to MEDIUM (4.8/10)

The decisive factor is attacker position and reachability: this is not a believable pre-auth Internet bug despite the vendor vector. You need a host-level foothold or a very specific reachable crypto workload that actually exercises pcrypt with MAY_BACKLOG, and the public signal shows no KEV, no campaigns, and no PoC momentum.

HIGH Downgrade from vendor `9.8` to a non-emergency severity bucket

MEDIUM Exact operational exposure on any given fleet without runtime telemetry for `pcrypt` use

Why this verdict

Vendor vector overstates reachability — AV:N/PR:N assumes an attacker can hit this bug like a remotely exposed service, but pcrypt is a kernel helper path, not a socket-facing daemon.
Module + workload gating cuts the exposed population hard — you need CONFIG_CRYPTO_PCRYPT plus an async AEAD workload that actually reaches the MAY_BACKLOG branch, which many enterprise Linux hosts never do.
Exploit intelligence is quiet — no KEV listing, no public exploitation evidence, no public PoC, and an EPSS around 0.00062 are all downward pressure from the vendor baseline.
Likely blast radius is host-local availability — the public fix narrative is about incorrect async completion/error handling, not a documented path to data theft or reliable privilege escalation.
Modern controls indirectly help — EDR, container isolation, least-privilege host access, and reducing arbitrary code execution on Linux nodes all make the first prerequisite harder, which matters because this is effectively post-initial-access in most real environments.

Why not higher?

There is no credible evidence that unauthenticated remote attackers can directly reach this code path across normal enterprise fleets. The missing pieces are a public exploit chain, a pre-auth network entry point, and any meaningful in-the-wild signal; without those, HIGH or CRITICAL would be vendor-score cargo culting.

Why not lower?

It still sits in the kernel, and when the affected path is present the impact can be system instability on important Linux infrastructure. On shared compute, crypto-heavy appliances, or specialized hosts that actually load and use pcrypt, the operational consequence is real enough that this should stay above pure backlog noise.

05 · Compensating Control

What to do — in priority order.

Inventory pcrypt usage — Check whether pcrypt is built, loaded, or referenced anywhere in your fleet so you stop treating every Linux host as equally exposed. For a MEDIUM verdict there is no noisgate mitigation SLA; do this during normal patch-validation work and use it to target the actual subset before the remediation deadline.
Blacklist unused pcrypt — Where pcrypt is a loadable module and you confirm no dependency, blacklist or prevent loading to collapse the attack surface entirely. For MEDIUM, there is no mitigation SLA, so apply this as a hygiene control in the normal change window rather than as an emergency action.
Harden shared Linux execution — Prioritize least privilege, container isolation, and limiting arbitrary code execution on multi-tenant Linux systems, because the real attack chain usually starts with a foothold on the box. This is the most useful compensating control when a kernel bug is effectively post-initial-access.
Watch for crypto-path instability — Add alerting for unusual kernel crashes, soft lockups, or repeated crypto request failures on systems known to use kernel crypto heavily. It will not prevent the bug, but it shortens the time to identify the small set of actually exposed roles.

What doesn't work

A WAF or reverse proxy does not help; there is no clear HTTP-facing exploit path to filter.
Perimeter scanning does not answer exposure, because pcrypt is not externally fingerprintable like a service banner.
Patching OpenSSL/GnuTLS alone is not a fix; this issue is in the kernel pcrypt path, not a user-space crypto library update.

06 · Verification

Crowdsourced verification payload.

Run this on the target Linux host. Invoke it as bash verify-cve-2026-43493.sh or sudo bash verify-cve-2026-43493.sh; root is recommended so the script can read /proc/config.gz, /boot/config-*, and installed kernel source/header trees. The script prefers direct source/header inspection for the actual fix logic and falls back to conservative version heuristics, returning VULNERABLE, PATCHED, or UNKNOWN.

noisgate-verify.sh

BASHREAD-ONLYSAFE

#!/usr/bin/env bash
# verify-cve-2026-43493.sh
# Check Linux kernel for CVE-2026-43493 (crypto: pcrypt - Fix handling of MAY_BACKLOG requests)
# Output: VULNERABLE / PATCHED / UNKNOWN
# Exit codes: 0=PATCHED, 1=VULNERABLE, 2=UNKNOWN

set -u

KREL="$(uname -r)"
BASE="${KREL%%-*}"

have_cmd() { command -v "$1" >/dev/null 2>&1; }

ver_lt() {
  # returns 0 if $1 < $2
  [ "$(printf '%s\n%s\n' "$1" "$2" | sort -V | head -n1)" = "$1" ] && [ "$1" != "$2" ]
}

is_fixed_by_version() {
  local v="$1"
  case "$v" in
    5.10.*) ver_lt "$v" "5.10.258" && return 1 || return 0 ;;
    5.15.*) ver_lt "$v" "5.15.209" && return 1 || return 0 ;;
    6.1.*)  ver_lt "$v" "6.1.175"  && return 1 || return 0 ;;
    6.6.*)  ver_lt "$v" "6.6.140"  && return 1 || return 0 ;;
    6.12.*) ver_lt "$v" "6.12.86"  && return 1 || return 0 ;;
    7.0.*)  ver_lt "$v" "7.0.4"    && return 1 || return 0 ;;
    7.1.*)  return 0 ;;
    *)      return 2 ;;
  esac
}

check_source_file() {
  local f="$1"
  [ -r "$f" ] || return 2

  if grep -Eq 'if \(err == -EINPROGRESS\)' "$f" && \
     grep -Eq 'ret == -EINPROGRESS \|\| ret == -EBUSY' "$f"; then
    return 0
  fi

  if grep -Eq 'ret == -EINPROGRESS\)' "$f" && \
     ! grep -Eq 'ret == -EINPROGRESS \|\| ret == -EBUSY' "$f"; then
    return 1
  fi

  return 2
}

read_kernel_config() {
  if [ -r /proc/config.gz ] && have_cmd zgrep; then
    zgrep -E '^CONFIG_CRYPTO_PCRYPT=' /proc/config.gz 2>/dev/null | tail -n1
    return
  fi
  if [ -r "/boot/config-$KREL" ]; then
    grep -E '^CONFIG_CRYPTO_PCRYPT=' "/boot/config-$KREL" 2>/dev/null | tail -n1
    return
  fi
  echo ""
}

PCONF="$(read_kernel_config)"
PMOD="unknown"
case "$PCONF" in
  CONFIG_CRYPTO_PCRYPT=y) PMOD="builtin" ;;
  CONFIG_CRYPTO_PCRYPT=m) PMOD="module" ;;
  CONFIG_CRYPTO_PCRYPT=n) PMOD="disabled" ;;
  *) PMOD="unknown" ;;
esac

# 1) Best check: inspect installed source/header trees for the fixed logic.
CANDIDATES=(
  "/lib/modules/$KREL/source/crypto/pcrypt.c"
  "/lib/modules/$KREL/build/crypto/pcrypt.c"
  "/usr/src/linux-headers-$KREL/crypto/pcrypt.c"
  "/usr/src/kernels/$KREL/crypto/pcrypt.c"
)

for f in "${CANDIDATES[@]}"; do
  check_source_file "$f"
  rc=$?
  if [ $rc -eq 0 ]; then
    echo "PATCHED: fix logic present in $f (CVE-2026-43493)"
    exit 0
  elif [ $rc -eq 1 ]; then
    if [ "$PMOD" = "disabled" ]; then
      echo "PATCHED: vulnerable code pattern in source tree, but CONFIG_CRYPTO_PCRYPT is disabled"
      exit 0
    fi
    echo "VULNERABLE: unfixed pcrypt logic found in $f"
    exit 1
  fi
done

# 2) Secondary check: loaded module binary presence.
if lsmod 2>/dev/null | awk '{print $1}' | grep -qx 'pcrypt'; then
  PLOADED="yes"
else
  PLOADED="no"
fi

# 3) Fallback: upstream-style version heuristic.
is_fixed_by_version "$BASE"
rc=$?
if [ $rc -eq 0 ]; then
  echo "PATCHED: kernel base version $BASE is at or above a known upstream fixed branch threshold; verify distro backports if this is a vendor kernel"
  exit 0
elif [ $rc -eq 1 ]; then
  if [ "$PMOD" = "disabled" ]; then
    echo "PATCHED: kernel version is in an affected upstream range, but CONFIG_CRYPTO_PCRYPT is disabled"
    exit 0
  fi
  echo "VULNERABLE: kernel base version $BASE is below known upstream fixed thresholds and pcrypt is $PMOD (loaded=$PLOADED)"
  exit 1
fi

# 4) Unknown branch or vendor backport ambiguity.
echo "UNKNOWN: cannot prove fix state for kernel $KREL. pcrypt_config=$PMOD loaded=$PLOADED. Check vendor advisory/changelog or install matching kernel headers/source and rerun."
exit 2

07 · Bottom Line

If you remember one thing.

TL;DR

Monday morning, stop treating this like a fire-drill 9.8 and re-rank it as a targeted kernel maintenance item. First, identify the small subset of Linux systems that actually have pcrypt enabled or loaded and give extra attention to shared compute, crypto-heavy appliances, and unusual kernel-crypto consumers; there is no noisgate mitigation SLA — go straight to the 365-day remediation window for this MEDIUM verdict. Then roll the vendor kernel update into your normal patch program and complete the actual patching within the noisgate remediation SLA of ≤365 days, sooner for the systems where pcrypt is confirmed present in runtime.

Sources

Peer Review

What defenders are saying.

Submit a review attribution: handle + country only

0 flags selected · stored anonymously

Validation Results

Crowdsourced verification outputs.

Results submitted by users who ran the verification payload against their environment.