Out-of-bounds read in AES-CFB-128 on X86-64 with AVX-512 support

The partial-block pre-processing code in ossl_aes_cfb128_vaes_enc and
ossl_aes_cfb128_vaes_dec unconditionally loads 16 bytes from the input buffer
using unmasked vmovdqu8 instructions, even when fewer bytes are valid.
This can read 1–15 bytes beyond the provided buffer. The post-processing code
in the same file correctly uses masked loads to avoid this issue.

Fixes CVE-2026-28386

Co-Authored-by: Stanislav Fort <stanislav.fort@aisle.com>
Co-Authored-by: Pavel Kohout <pavel.kohout@aisle.com>
Co-Authored-by: Alex Gaynor <gaynor@anthropic.com>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Saša Nedvědický <sashan@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.foundation>
MergeDate: Mon Apr  6 19:16:26 2026

diff --git a/crypto/aes/asm/aes-cfb-avx512.pl b/crypto/aes/asm/aes-cfb-avx512.pl
index 8136f16e55b9a30ac6064005bcf87795aa135131..01047a0d664260cd6001a5c4d537090adf0168c9 100644 (file)
--- a/crypto/aes/asm/aes-cfb-avx512.pl
+++ b/crypto/aes/asm/aes-cfb-avx512.pl
@@ -499,8 +499,8 @@ $code.=<<___;
     and \$0x0F,%al                   # wrap-around $num in a 16-byte block
 
     leaq ($num,$ivp),%r11            # process $left iv bytes
-    vmovdqu8 (%r11),%xmm0
-    vmovdqu8 ($inp),%xmm1            # process $left input bytes
+    vmovdqu8 (%r11),%xmm0{%k1}{z}
+    vmovdqu8 ($inp),%xmm1{%k1}{z}    # process $left input bytes
     vpxor %xmm0,%xmm1,%xmm2          # CipherFeedBack XOR
     vmovdqu8 %xmm2,($out){%k1}       # write $left output bytes
     vmovdqu8 %xmm2,(%r11){%k1}       # blend $left output bytes into iv
@@ -753,8 +753,8 @@ $code.=<<___;
     and \$0x0F,%al                    # wrap-around in a 16-byte block
 
     leaq ($num,$ivp),%r11             # process $left iv bytes
-    vmovdqu8 (%r11),%xmm0
-    vmovdqu8 ($inp),%xmm1             # process $left input bytes
+    vmovdqu8 (%r11),%xmm0{%k1}{z}
+    vmovdqu8 ($inp),%xmm1{%k1}{z}     # process $left input bytes
     vpxor %xmm0,%xmm1,%xmm2           # CipherFeedBack XOR
     vmovdqu8 %xmm2,($out){%k1}        # write $left output bytes
     vmovdqu8 %xmm1,(%r11){%k1}        # blend $left input bytes into iv