Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

redhat логотип

CVE-2025-38616

Опубликовано: 22 авг. 2025
Источник: redhat
CVSS3: 4.1
EPSS Низкий

Описание

In the Linux kernel, the following vulnerability has been resolved: tls: handle data disappearing from under the TLS ULP TLS expects that it owns the receive queue of the TCP socket. This cannot be guaranteed in case the reader of the TCP socket entered before the TLS ULP was installed, or uses some non-standard read API (eg. zerocopy ones). Replace the WARN_ON() and a buggy early exit (which leaves anchor pointing to a freed skb) with real error handling. Wipe the parsing state and tell the reader to retry. We already reload the anchor every time we (re)acquire the socket lock, so the only condition we need to avoid is an out of bounds read (not having enough bytes in the socket for previously parsed record len). If some data was read from under TLS but there's enough in the queue we'll reload and decrypt what is most likely not a valid TLS record. Leading to some undefined behavior from TLS perspective (corrupting a stream? missing an alert? missing an attack?) but no kernel crash should take place.

A flaw was found in the Linux kernel's in-kernel TLS (kTLS) receive path. This vulnerability, a race condition, allows data to be consumed from the TCP socket before the kTLS component fully takes control. A local attacker with privileged access to kTLS socket setup could exploit this timing issue, causing the system's internal data processing to reference invalid memory. This could lead to a kernel crash, resulting in a Denial of Service (DoS) for the affected system.

Отчет

A race in the in-kernel TLS (kTLS) receive path allowed data to be consumed from the TCP socket before the TLS ULP took ownership, leaving internal parsing state pointing to freed buffers and potentially crashing the kernel. The fix replaces a WARN/early-exit with proper error handling: it resets the parsing state and forces a retry when the queue has changed under TLS. Practical exploitation requires local, typically privileged control over kTLS socket setup and precise timing.

Затронутые пакеты

ПлатформаПакетСостояниеРекомендацияРелиз
Red Hat Enterprise Linux 10kernelFix deferred
Red Hat Enterprise Linux 6kernelNot affected
Red Hat Enterprise Linux 7kernelNot affected
Red Hat Enterprise Linux 7kernel-rtNot affected
Red Hat Enterprise Linux 8kernelNot affected
Red Hat Enterprise Linux 8kernel-rtNot affected
Red Hat Enterprise Linux 9kernelFix deferred
Red Hat Enterprise Linux 9kernel-rtFix deferred

Показывать по

Ссылки на источники

Дополнительная информация

Статус:

Moderate
Дефект:
CWE-366
https://bugzilla.redhat.com/show_bug.cgi?id=2390319kernel: Linux kernel: Denial of Service in kTLS due to race condition in receive path

EPSS

Процентиль: 1%
0.00008
Низкий

4.1 Medium

CVSS3

Связанные уязвимости

ubuntu логотип

CVE-2025-38616

CVSS3: 7.1
ubuntu
7 месяцев назад

In the Linux kernel, the following vulnerability has been resolved: tls: handle data disappearing from under the TLS ULP TLS expects that it owns the receive queue of the TCP socket. This cannot be guaranteed in case the reader of the TCP socket entered before the TLS ULP was installed, or uses some non-standard read API (eg. zerocopy ones). Replace the WARN_ON() and a buggy early exit (which leaves anchor pointing to a freed skb) with real error handling. Wipe the parsing state and tell the reader to retry. We already reload the anchor every time we (re)acquire the socket lock, so the only condition we need to avoid is an out of bounds read (not having enough bytes in the socket for previously parsed record len). If some data was read from under TLS but there's enough in the queue we'll reload and decrypt what is most likely not a valid TLS record. Leading to some undefined behavior from TLS perspective (corrupting a stream? missing an alert? missing an attack?) but no kernel crash...

nvd логотип

CVE-2025-38616

CVSS3: 7.1
nvd
7 месяцев назад

In the Linux kernel, the following vulnerability has been resolved: tls: handle data disappearing from under the TLS ULP TLS expects that it owns the receive queue of the TCP socket. This cannot be guaranteed in case the reader of the TCP socket entered before the TLS ULP was installed, or uses some non-standard read API (eg. zerocopy ones). Replace the WARN_ON() and a buggy early exit (which leaves anchor pointing to a freed skb) with real error handling. Wipe the parsing state and tell the reader to retry. We already reload the anchor every time we (re)acquire the socket lock, so the only condition we need to avoid is an out of bounds read (not having enough bytes in the socket for previously parsed record len). If some data was read from under TLS but there's enough in the queue we'll reload and decrypt what is most likely not a valid TLS record. Leading to some undefined behavior from TLS perspective (corrupting a stream? missing an alert? missing an attack?) but no kernel cras

msrc логотип

CVE-2025-38616

CVSS3: 5.5
msrc
7 месяцев назад

tls: handle data disappearing from under the TLS ULP

debian логотип

CVE-2025-38616

CVSS3: 7.1
debian
7 месяцев назад

In the Linux kernel, the following vulnerability has been resolved: t ...

suse-cvrf логотип

SUSE-SU-2025:4311-1

suse-cvrf
4 месяца назад

Security update for the Linux Kernel (Live Patch 4 for SUSE Linux Enterprise 15 SP7)

EPSS

Процентиль: 1%
0.00008
Низкий

4.1 Medium

CVSS3