In the Linux kernel, the following vulnerability has been resolved:
crypto: acomp - fix wrong pointer stored by acompsavereq()
acompsavereq() stores &req->chain in req->base.data. When acompreqchaindone() is invoked on asynchronous completion, it receives &req->chain as the data argument but casts it directly to struct acomp_req. Since data points to the chain member, all subsequent field accesses are at a wrong offset, resulting in memory corruption.
The issue occurs when an asynchronous hardware implementation, such as the QAT driver, completes a request that uses the DMA virtual address interface (e.g. acomprequestsetsrcdma()). This combination causes cryptoacompcompress() to enter the acompdoreqchain() path, which sets acompreqchaindone() as the completion callback via acompsave_req().
With KASAN enabled, this manifests as a general protection fault in acompreqchaindone():
general protection fault, probably for non-canonical address 0xe000040000000000 KASAN: probably user-memory-access in range [0x0000400000000000-0x0000400000000007] RIP: 0010:acompreqchaindone+0x15b/0x4e0 Call Trace: <IRQ> qatcompalgcallback+0x5d/0xa0 [intelqat] adfringresponsehandler+0x376/0x8b0 [intelqat] adfresponsehandler+0x60/0x170 [intelqat] taskletactioncommon+0x223/0x820 handlesoftirqs+0x1ab/0x640 </IRQ>
Fix this by storing the request itself in req->base.data instead of &req->chain, so that acompreqchaindone() receives the correct pointer. Simplify acomprestorereq() accordingly to access req->chain directly.
{
"osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/46xxx/CVE-2026-46081.json",
"cna_assigner": "Linux"
}