CVE-2026-43336 Affecting kernel-64kb package, versions <6.4.0-150700.53.66.1


Severity

Recommended
0.0
medium
0
10

Based on SUSE Linux Enterprise Server security rating.

Threat Intelligence

EPSS
0.43% (34th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk IDSNYK-SLES157-KERNEL64KB-17902876
  • published9 Jul 2026
  • disclosed8 Jul 2026

Introduced: 8 Jul 2026

NewCVE-2026-43336  (opens in a new tab)

How to fix?

Upgrade SLES:15.7 kernel-64kb to version 6.4.0-150700.53.66.1 or higher.

NVD Description

Note: Versions mentioned in the description apply only to the upstream kernel-64kb package and not the kernel-64kb package as distributed by SLES. See How to fix? for SLES:15.7 relevant fixed versions and status.

In the Linux kernel, the following vulnerability has been resolved:

lib/crypto: chacha: Zeroize permuted_state before it leaves scope

Since the ChaCha permutation is invertible, the local variable 'permuted_state' is sufficient to compute the original 'state', and thus the key, even after the permutation has been done.

While the kernel is quite inconsistent about zeroizing secrets on the stack (and some prominent userspace crypto libraries don't bother at all since it's not guaranteed to work anyway), the kernel does try to do it as a best practice, especially in cases involving the RNG.

Thus, explicitly zeroize 'permuted_state' before it goes out of scope.

CVSS Base Scores

version 3.1