CVE-2026-43492

In the Linux kernel, the following vulnerability has been resolved:

lib/crypto: mpi: Fix integer underflow in mpireadrawfromsgl()

Yiming reports an integer underflow in mpireadrawfromsgl() when subtracting "lzeros" from the unsigned "nbytes".

For this to happen, the scatterlist "sgl" needs to occupy more bytes than the "nbytes" parameter and the first "nbytes + 1" bytes of the scatterlist must be zero. Under these conditions, the while loop iterating over the scatterlist will count more zeroes than "nbytes", subtract the number of zeroes from "nbytes" and cause the underflow.

When commit 2d4d1eea540b ("lib/mpi: Add mpi sgl helpers") originally introduced the bug, it couldn't be triggered because all callers of mpireadrawfromsgl() passed a scatterlist whose length was equal to "nbytes".

However since commit 63ba4d67594a ("KEYS: asymmetric: Use new crypto interface without scatterlists"), the underflow can now actually be triggered. When invoking a KEYCTLPKEYENCRYPT system call with a larger "outlen" than "inlen" and filling the "in" buffer with zeroes, cryptoakciphersyncprep() will create an all-zero scatterlist used for both the "src" and "dst" member of struct akcipherrequest and thereby fulfil the conditions to trigger the bug:

syskeyctl() keyctlpkeyeds() asymmetrickeyedsop() softwarekeyedsop() cryptoakciphersyncencrypt() cryptoakciphersyncprep() cryptoakcipherencrypt() rsaenc() mpireadrawfromsgl()

To the user this will be visible as a DoS as the kernel spins forever, causing soft lockup splats as a side effect.

Fix it.