9.8

CVE-2026-31533

net/tls: fix use-after-free in -EBUSY error path of tls_do_encryption

In the Linux kernel, the following vulnerability has been resolved:

net/tls: fix use-after-free in -EBUSY error path of tls_do_encryption

The -EBUSY handling in tls_do_encryption(), introduced by commit
859054147318 ("net: tls: handle backlogging of crypto requests"), has
a use-after-free due to double cleanup of encrypt_pending and the
scatterlist entry.

When crypto_aead_encrypt() returns -EBUSY, the request is enqueued to
the cryptd backlog and the async callback tls_encrypt_done() will be
invoked upon completion. That callback unconditionally restores the
scatterlist entry (sge->offset, sge->length) and decrements
ctx->encrypt_pending. However, if tls_encrypt_async_wait() returns an
error, the synchronous error path in tls_do_encryption() performs the
same cleanup again, double-decrementing encrypt_pending and
double-restoring the scatterlist.

The double-decrement corrupts the encrypt_pending sentinel (initialized
to 1), making tls_encrypt_async_wait() permanently skip the wait for
pending async callbacks. A subsequent sendmsg can then free the
tls_rec via bpf_exec_tx_verdict() while a cryptd callback is still
pending, resulting in a use-after-free when the callback fires on the
freed record.

Fix this by skipping the synchronous cleanup when the -EBUSY async
wait returns an error, since the callback has already handled
encrypt_pending and sge restoration.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
LinuxLinux Kernel Version >= 5.15.160 < 5.15.203
LinuxLinux Kernel Version >= 6.1.84 < 6.1.169
LinuxLinux Kernel Version >= 6.6.18 < 6.6.135
LinuxLinux Kernel Version >= 6.7.6 < 6.8
LinuxLinux Kernel Version >= 6.8.1 < 6.12.82
LinuxLinux Kernel Version >= 6.13 < 6.18.23
LinuxLinux Kernel Version >= 6.19 < 6.19.13
LinuxLinux Kernel Version7.0 Updaterc1
LinuxLinux Kernel Version7.0 Updaterc2
LinuxLinux Kernel Version7.0 Updaterc3
LinuxLinux Kernel Version7.0 Updaterc4
LinuxLinux Kernel Version7.0 Updaterc5
LinuxLinux Kernel Version7.0 Updaterc6
LinuxLinux Kernel Version7.0 Updaterc7
VulnDex Vulnerability Enrichment
Diese Information steht angemeldeten Benutzern zur Verfügung. Login Login
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 0.26% 0.174
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
416baaa9-dc9f-4396-8d5f-8c081fb06d67 9.8 3.9 5.9
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE-416 Use After Free

The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory "belongs" to the code that operates on the new pointer.

https://git.kernel.org/stable/c/414fc5e5a5aff776c150f1b86770e0a25a35df3a
Patch
https://git.kernel.org/stable/c/02f3ecadb23558bbe068e6504118f1b712d4ece0
Patch
https://git.kernel.org/stable/c/0e43e0a3c94044acc74b8e0927c27972eb5a59e8
Patch
https://git.kernel.org/stable/c/aa9facde6c5005205874c37db3fd25799d741baf
Patch
https://git.kernel.org/stable/c/5d70eb25b41e9b010828cd12818b06a0c3b04412
Patch
https://git.kernel.org/stable/c/2694d408b0e595024e0fc1d64ff9db0358580f74
Patch
https://git.kernel.org/stable/c/a9b8b18364fffce4c451e6f6fd218fa4ab646705
Patch