CVE-2026-31533

EPSS 0.04%
Veröffentlicht 23.04.2026 15:11:06
Zuletzt bearbeitet 29.04.2026 14:51:25
Quelle 416baaa9-dc9f-4396-8d5f-8c081f
CVE-Watchlists
Login
Unerledigt
Login

net/tls: fix use-after-free in -EBUSY error path of tls_do_encryption

In the Linux kernel, the following vulnerability has been resolved:

net/tls: fix use-after-free in -EBUSY error path of tls_do_encryption

The -EBUSY handling in tls_do_encryption(), introduced by commit
859054147318 ("net: tls: handle backlogging of crypto requests"), has
a use-after-free due to double cleanup of encrypt_pending and the
scatterlist entry.

When crypto_aead_encrypt() returns -EBUSY, the request is enqueued to
the cryptd backlog and the async callback tls_encrypt_done() will be
invoked upon completion. That callback unconditionally restores the
scatterlist entry (sge->offset, sge->length) and decrements
ctx->encrypt_pending. However, if tls_encrypt_async_wait() returns an
error, the synchronous error path in tls_do_encryption() performs the
same cleanup again, double-decrementing encrypt_pending and
double-restoring the scatterlist.

The double-decrement corrupts the encrypt_pending sentinel (initialized
to 1), making tls_encrypt_async_wait() permanently skip the wait for
pending async callbacks. A subsequent sendmsg can then free the
tls_rec via bpf_exec_tx_verdict() while a cryptd callback is still
pending, resulting in a use-after-free when the callback fires on the
freed record.

Fix this by skipping the synchronous cleanup when the -EBUSY async
wait returns an error, since the callback has already handled
encrypt_pending and sge restoration.

Betroffene Produkte Warnungen 0 Metriken 2 CWE 1 Referenzen 10

NVD 14 VulnDex Vulnerability Enrichment 9

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Linux ≫ Linux Kernel Version >= 5.15.160 < 5.15.203

Linux ≫ Linux Kernel Version >= 6.1.84 < 6.1.169

Linux ≫ Linux Kernel Version >= 6.6.18 < 6.6.135

Linux ≫ Linux Kernel Version >= 6.7.6 < 6.8

Linux ≫ Linux Kernel Version >= 6.8.1 < 6.12.82

Linux ≫ Linux Kernel Version >= 6.13 < 6.18.23

Linux ≫ Linux Kernel Version >= 6.19 < 6.19.13

Linux ≫ Linux Kernel Version7.0 Updaterc1

Linux ≫ Linux Kernel Version7.0 Updaterc2

Linux ≫ Linux Kernel Version7.0 Updaterc3

Linux ≫ Linux Kernel Version7.0 Updaterc4

Linux ≫ Linux Kernel Version7.0 Updaterc5

Linux ≫ Linux Kernel Version7.0 Updaterc6

Linux ≫ Linux Kernel Version7.0 Updaterc7

VulnDex Vulnerability Enrichment

Diese Information steht angemeldeten Benutzern zur Verfügung.

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.04%	0.122

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
416baaa9-dc9f-4396-8d5f-8c081fb06d67	9.8	3.9	5.9	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE-416 Use After Free

The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory "belongs" to the code that operates on the new pointer.

https://git.kernel.org/stable/c/414fc5e5a5aff776c150f1b86770e0a25a35df3a

Patch

https://git.kernel.org/stable/c/02f3ecadb23558bbe068e6504118f1b712d4ece0

Patch

https://git.kernel.org/stable/c/0e43e0a3c94044acc74b8e0927c27972eb5a59e8

Patch

https://git.kernel.org/stable/c/aa9facde6c5005205874c37db3fd25799d741baf

Patch

https://git.kernel.org/stable/c/5d70eb25b41e9b010828cd12818b06a0c3b04412

Patch

https://git.kernel.org/stable/c/2694d408b0e595024e0fc1d64ff9db0358580f74

Patch