9.8
CVE-2026-31533
- EPSS 0.26%
- Veröffentlicht 23.04.2026 15:11:06
- Zuletzt bearbeitet 29.04.2026 14:51:25
- Quelle 416baaa9-dc9f-4396-8d5f-8c081f
- CVE-Watchlists
- Unerledigt
net/tls: fix use-after-free in -EBUSY error path of tls_do_encryption
In the Linux kernel, the following vulnerability has been resolved:
net/tls: fix use-after-free in -EBUSY error path of tls_do_encryption
The -EBUSY handling in tls_do_encryption(), introduced by commit
859054147318 ("net: tls: handle backlogging of crypto requests"), has
a use-after-free due to double cleanup of encrypt_pending and the
scatterlist entry.
When crypto_aead_encrypt() returns -EBUSY, the request is enqueued to
the cryptd backlog and the async callback tls_encrypt_done() will be
invoked upon completion. That callback unconditionally restores the
scatterlist entry (sge->offset, sge->length) and decrements
ctx->encrypt_pending. However, if tls_encrypt_async_wait() returns an
error, the synchronous error path in tls_do_encryption() performs the
same cleanup again, double-decrementing encrypt_pending and
double-restoring the scatterlist.
The double-decrement corrupts the encrypt_pending sentinel (initialized
to 1), making tls_encrypt_async_wait() permanently skip the wait for
pending async callbacks. A subsequent sendmsg can then free the
tls_rec via bpf_exec_tx_verdict() while a cryptd callback is still
pending, resulting in a use-after-free when the callback fires on the
freed record.
Fix this by skipping the synchronous cleanup when the -EBUSY async
wait returns an error, since the callback has already handled
encrypt_pending and sge restoration.Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Linux ≫ Linux Kernel Version >= 5.15.160 < 5.15.203
Linux ≫ Linux Kernel Version >= 6.1.84 < 6.1.169
Linux ≫ Linux Kernel Version >= 6.6.18 < 6.6.135
Linux ≫ Linux Kernel Version >= 6.7.6 < 6.8
Linux ≫ Linux Kernel Version >= 6.8.1 < 6.12.82
Linux ≫ Linux Kernel Version >= 6.13 < 6.18.23
Linux ≫ Linux Kernel Version >= 6.19 < 6.19.13
Linux ≫ Linux Kernel Version7.0 Updaterc1
Linux ≫ Linux Kernel Version7.0 Updaterc2
Linux ≫ Linux Kernel Version7.0 Updaterc3
Linux ≫ Linux Kernel Version7.0 Updaterc4
Linux ≫ Linux Kernel Version7.0 Updaterc5
Linux ≫ Linux Kernel Version7.0 Updaterc6
Linux ≫ Linux Kernel Version7.0 Updaterc7
VulnDex Vulnerability Enrichment
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.26% | 0.174 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | 9.8 | 3.9 | 5.9 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
|
CWE-416 Use After Free
The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory "belongs" to the code that operates on the new pointer.
https://git.kernel.org/stable/c/414fc5e5a5aff776c150f1b86770e0a25a35df3a
https://git.kernel.org/stable/c/02f3ecadb23558bbe068e6504118f1b712d4ece0
https://git.kernel.org/stable/c/0e43e0a3c94044acc74b8e0927c27972eb5a59e8
https://git.kernel.org/stable/c/aa9facde6c5005205874c37db3fd25799d741baf
https://git.kernel.org/stable/c/5d70eb25b41e9b010828cd12818b06a0c3b04412
https://git.kernel.org/stable/c/2694d408b0e595024e0fc1d64ff9db0358580f74
https://git.kernel.org/stable/c/a9b8b18364fffce4c451e6f6fd218fa4ab646705