A newly disclosed vulnerability in the Linux kernel’s cryptographic subsystem, tracked as CVE-2026-43493, has been added to the National Vulnerability Database (NVD) on May 19, 2026. The flaw resides in the pcrypt module and involves improper handling of asynchronous encryption requests using the MAY_BACKLOG flag—a bug that could potentially lead to denial of service or other security issues, and it has direct implications for the millions of Windows users running Windows Subsystem for Linux (WSL). While this is a Linux kernel bug, it matters deeply to the Windows ecosystem because WSL relies on a full Linux kernel maintained and distributed by Microsoft. Any unpatched vulnerability in that kernel becomes an attack vector on Windows machines where WSL is enabled.

Understanding the pcrypt Crypto Module

Linux’s cryptographic API is a sprawling framework that enables kernel components and userspace applications to perform encryption, decryption, and hashing efficiently. The pcrypt module is a template that parallelizes symmetric cryptographic operations, such as AES encryption, by distributing work across multiple CPUs. This parallelism is crucial for high-throughput workloads, like VPN gateways, file system encryption, and TLS offloading, where processing delays can cripple performance.

Ordinarily, the Linux crypto API processes requests synchronously—the caller blocks until the operation completes. Asynchronous processing allows tasks to be queued and handled later, freeing the caller to continue other work. pcrypt wraps an underlying algorithm and splits the data stream into chunks that are dispatched as asynchronous jobs to different CPU cores. Each job uses the kernel’s asynchronous crypto interface, which involves a request structure (crypto_async_request) and a callback for completion.

The use of the MAY_BACKLOG flag in these asynchronous requests is a pivotal detail. In the Linux crypto subsystem, MAY_BACKLOG indicates that the caller can tolerate—and properly handle—a backlog of requests. When a crypto provider (such as a hardware accelerator or a software fallback) cannot immediately process a request, it may queue it for later execution. If MAY_BACKLOG is set, the provider retains the request and returns -EINPROGRESS or -EBUSY, expecting the caller to retry or handle the acknowledgment. Without this flag, the request would fail outright if the provider is busy.

The Flaw: Incorrect MAY_BACKLOG Handling in pcrypt

According to the NVD entry, CVE-2026-43493 addresses a situation where pcrypt mishandles asynchronous crypto requests that use the MAY_BACKLOG flag. The incomplete public summary states the fix is for “incorrect handling of asynchronous pcrypt crypto requests using the MAY_BACKLOG flag across mul…”—likely “multiple” contexts, CPUs, or threads. While the full technical details are pending fuller disclosure, the nature of such bugs is well understood in the kernel security community.

When pcrypt divides an encryption task into sub-requests, it must correctly propagate the MAY_BACKLOG semantics to each sub-request and manage their completions. An incorrect implementation could lead to several failure modes:

  • Lost completions: A sub-request may never trigger its completion callback because the backlog status was misinterpreted. The parent pcrypt request hangs indefinitely, potentially leaking memory and stalling encryption operations.
  • Double completions: The same sub-request could complete twice, corrupting kernel memory or causing a use-after-free.
  • Deadlock: If a pcrypt worker thread waiting for sub-requests holds a lock that is also required by the completion path, the system can deadlock.
  • Inconsistent state: The MAY_BACKLOG flag might be cleared inadvertently, causing requests to fail with -ENOSPC (no space) even when the queue has capacity, leading to spurious errors in applications relying on crypto.

Any of these could cause a denial of service by crashing the kernel or making cryptographic services unavailable. If the bug is exploitable from userspace—for instance, by triggering socket encryption (TLS) or filesystem encryption—it could be abused to disrupt services or, in the worst case, gain elevated privileges through memory corruption. The assignment of a CVE and its inclusion in the NVD indicate that maintainers classify this as a security issue worthy of coordinated disclosure, even if the immediate risk appears limited to reliability.

Why This Matters for Windows Users: The WSL Connection

Windows Subsystem for Linux (WSL) debuted in 2016 and has evolved into a core development tool for Windows. WSL 2, introduced in 2020, runs a complete Linux kernel inside a lightweight virtual machine. Microsoft backports this kernel from the stable Linux long-term support (LTS) branches and ships it via Windows Update. As of early 2026, the WSL kernel is based on Linux 6.1 LTS or newer, depending on the Windows version and update channel. All cryptographic algorithms that the kernel provides, including pcrypt-based implementations, are available to WSL guests.

This means that any vulnerability in the WSL kernel’s crypto subsystem is exploitable from within the WSL environment. A malicious process inside a WSL 2 instance could craft specific encryption requests to trigger the pcrypt bug, potentially crashing the WSL VM or the entire Windows host stability if the hypervisor is involved. While WSL 2 uses Hyper‑V isolation, a kernel crash in the VM does not directly compromise the Windows host, but it can still lead to:

  • Denial of Service: A crashing WSL kernel stops all Linux processes and may require a restart of the WSL environment, losing work and disrupting development workflows.
  • Data Corruption: Abrupt termination of encryption operations could corrupt encrypted data stores or filesystems mounted from within WSL.
  • Privilege Escalation Scenarios: Although less likely, memory corruption bugs in the kernel can sometimes be leveraged to escape virtual machine boundaries. The track record of several CVEs shows that hypervisor escapes do happen, and any kernel vulnerability should be treated as a potential step in a chain.

Microsoft actively monitors Linux kernel security and patches the WSL kernel promptly. When a CVE like this one is published, Microsoft typically evaluates the severity and backports the fix into its next WSL kernel update, which is distributed via Windows Update. Windows users who keep their systems up to date will receive the patch automatically once Microsoft integrates it. However, there is often a lag between upstream Linux fix publication and WSL kernel redeployment, varying from days to weeks. Enterprises with strict WSL usage should monitor Microsoft’s WSL kernel release notes and apply updates as soon as available.

Broader Implications: Crypto Bugs Across Ecosystems

Cryptographic bugs have a notorious reputation for their stealth and impact. The Linux kernel has grappled with crypto subsystem flaws before—such as CVE-2017-18079 (a random number generator issue in the Sony Vaio driver), CVE-2020-25656 (a use-after-free in the crypto user configuration API), and CVE-2021-3711 (an SM2 decryption buffer overflow). Each forced patches across countless servers, IoT devices, and embedded systems, but WSL brought that attack surface directly onto Windows desktops.

For Windows users, the line between OS security boundaries has blurred. A Linux kernel vulnerability inside WSL is not Windows’ problem per se, but it becomes one when Microsoft ships the kernel. Security teams must now consider Linux CVEs alongside Windows advisories when assessing risk. This convergence highlights a growing trend: mixed-OS environments require holistic patch management. Tools like Windows Update for WSL kernel, Microsoft Defender for Endpoint’s ability to monitor WSL processes, and third-party vulnerability scanners increasingly span both worlds.

The pcrypt module itself is not commonly used by everyday WSL workloads—most users do not run IPSec VPNs or massive encrypted file transfers. However, the kernel loads modules on demand, and a determined attacker could likely trigger pcrypt through direct sysfs manipulation or by loading a crafted kernel module if WSL’s default configuration permits it (WSL 2 typically allows module loading if the user has root). Thus, even obscure kernel paths can be reachable.

Mitigation and Remediation for Windows Users

For Windows users who leverage WSL, the immediate steps are straightforward:

  1. Ensure Automatic Updates Are On: Windows Update delivers WSL kernel updates as part of the monthly quality or out-of-band patches. By default, Windows 10 and 11 keep the WSL kernel current. Verify under Settings > Windows Update > Advanced options that “Receive updates for other Microsoft products” is enabled.
  2. Check Your WSL Kernel Version: Open a WSL terminal and run uname -r. The output will show the kernel version. Compare it with the latest release on Microsoft’s WSL GitHub page (https://github.com/microsoft/WSL2-Linux-Kernel/releases). If you are behind, you can manually install the latest kernel from Microsoft’s download center or trigger a WSL update with wsl --update from PowerShell.
  3. Disable WSL If Not Needed: If WSL is installed but unused, consider disabling it via “Turn Windows features on or off” to reduce attack surface.
  4. Monitor Security Announcements: Bookmark Microsoft’s Security Response Center (MSRC) and the WSL GitHub repository. Microsoft rarely publishes explicit CVEs for WSL kernel fixes, but they often document kernel updates in WSL release notes.

For organizations, the risk can be further reduced by enforcing WSL configuration policies. Group Policy or MDM can restrict WSL usage to only authorized users, prevent root access, or limit which drivers and modules are available. Since CVE-2026-43493 requires local access to the WSL environment, strong user access controls are the first line of defense.

The Road Ahead: Kernel Patching and Ecosystem Vigilance

CVE-2026-43493 serves as a reminder that the software supply chain now includes entire operating system kernels shipped by one vendor within another’s product. Microsoft’s commitment to maintaining the WSL kernel has been laudable, with frequent updates and active participation in upstream Linux security. However, every kernel vulnerability forces a race: attackers can reverse-engineer the fix within hours, while Microsoft must build, test, and deploy a new kernel without destabilizing customer environments.

The pcrypt bug’s specifics, once fully disclosed, will likely be analyzed for their exploitability. If the bug can be triggered by unprivileged users, its severity rises. We anticipate Microsoft will release a WSL kernel update within the next fortnight, given the public CVE. Windows Insiders often receive kernel updates first, so joining the Insider program could be a proactive step for security-conscious users.

In the larger picture, this vulnerability exemplifies why Microsoft’s investment in WSL includes hardening the kernel. Projects like the WSL Kernel Security Subsystem and integration with Microsoft Defender are steps toward ensuring that Linux components under Windows are not the weak link. As hybrid operating environments become the norm, security practitioners must treat cross-platform vulnerabilities with the same rigor they apply to platform-specific ones.

Keep your WSL kernel updated, stay informed, and remember: in the interconnected world of modern OSes, a Linux bug is now a Windows concern.