CVE-2026-23414

MEDIUM EPSS 14.7%
Published Apr 2, 20262mo ago · Modified Jun 17, 20261w ago
5.5 CVSS 3.1
Medium
Find Similar
Published Apr 2, 2026 2mo ago
Last Modified Jun 17, 2026 1w ago

Description

In the Linux kernel, the following vulnerability has been resolved: tls: Purge async_hold in tls_decrypt_async_wait() The async_hold queue pins encrypted input skbs while the AEAD engine references their scatterlist data. Once tls_decrypt_async_wait() returns, every AEAD operation has completed and the engine no longer references those skbs, so they can be freed unconditionally. A subsequent patch adds batch async decryption to tls_sw_read_sock(), introducing a new call site that must drain pending AEAD operations and release held skbs. Move __skb_queue_purge(&ctx->async_hold) into tls_decrypt_async_wait() so the purge is centralized and every caller -- recvmsg's drain path, the -EBUSY fallback in tls_do_decryption(), and the new read_sock batch path -- releases held skbs on synchronization without each site managing the purge independently. This fixes a leak when tls_strp_msg_hold() fails part-way through, after having added some cloned skbs to the async_hold queue. tls_decrypt_sg() will then call tls_decrypt_async_wait() to process all pending decrypts, and drop back to synchronous mode, but tls_sw_recvmsg() only flushes the async_hold queue when one record has been processed in "fully-async" mode, which may not be the case here. [pabeni@redhat.com: added leak comment]

CVSS Details

Base Score
5.5
Exploitability
1.8
Impact
3.6
Vector string
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector Local
Attack Complexity Low
Privileges Required Low
User Interaction None
Scope Unchanged
Confidentiality None
Integrity None
Availability High

Threat Intelligence

EPSS Exploit Probability
14.7% percentile
Exploit & Patch Status
No Known Exploit
Patch Available

Weaknesses 1

CWE-401

Affected Products 14

VendorProductVersionRange
linuxlinux_kernel*≥6.1.158  –  <6.1.168
linuxlinux_kernel*≥6.6.114  –  <6.6.131
linuxlinux_kernel*≥6.12.55  –  <6.12.80
linuxlinux_kernel*≥6.17.5  –  <6.18
linuxlinux_kernel*≥6.18.1  –  <6.18.21
linuxlinux_kernel*≥6.19  –  <6.19.11
linuxlinux_kernel6.18any
linuxlinux_kernel7.0any
linuxlinux_kernel7.0any
linuxlinux_kernel7.0any
linuxlinux_kernel7.0any
linuxlinux_kernel7.0any
linuxlinux_kernel7.0any
linuxlinux_kernel7.0any

References 6

  • git.kernel.org https://git.kernel.org/stable/c/2dcf324855c34e7f934ce978aa19b645a8f3ee71
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/6dc11e0bd0a5466bcc76d275c09e5537bd0597dd
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/84a8335d8300576f1b377ae24abca1d9f197807f
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/9f557c7eae127b44d2e863917dc986a4b6cb1269
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/ac435be7c7613eb13a5a8ceb5182e10b50c9ce87
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/fd8037e1f18ca5336934d0e0e7e1a4fe097e749d
    Patch

Remediation

  • git.kernel.org https://git.kernel.org/stable/c/2dcf324855c34e7f934ce978aa19b645a8f3ee71
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/6dc11e0bd0a5466bcc76d275c09e5537bd0597dd
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/84a8335d8300576f1b377ae24abca1d9f197807f
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/9f557c7eae127b44d2e863917dc986a4b6cb1269
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/ac435be7c7613eb13a5a8ceb5182e10b50c9ce87
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/fd8037e1f18ca5336934d0e0e7e1a4fe097e749d
    Patch