net: tls: fix strparser anchor skb leak on offload RX setup failure

MITRE NVD CVE.ORG JSON API Print: PDF PDF

Summary

CVECVE-2026-52974
StatePUBLISHED
AssignerLinux
Source PriorityCVE Program / NVD first with legacy fallback
Published2026-06-24 17:17:07 UTC
Updated2026-06-28 08:16:27 UTC
DescriptionIn the Linux kernel, the following vulnerability has been resolved: net: tls: fix strparser anchor skb leak on offload RX setup failure When tls_set_device_offload_rx() fails at tls_dev_add(), the error path calls tls_sw_free_resources_rx() to clean up the SW context that was initialized by tls_set_sw_offload(). This function calls tls_sw_release_resources_rx() (which stops the strparser via tls_strp_stop()) and tls_sw_free_ctx_rx() (which kfrees the context), but never frees the anchor skb that was allocated by alloc_skb(0) in tls_strp_init(). Note that tls_sw_free_resources_rx() is exclusively used for this "failed to start offload" code path, there's no other caller. The leak did not exist before commit 84c61fe1a75b ("tls: rx: do not use the standard strparser"), because the standard strparser doesn't try to pre-allocate an skb. The normal close path in tls_sk_proto_close() handles cleanup by calling tls_sw_strparser_done() (which calls tls_strp_done()) after dropping the socket lock, because tls_strp_done() does cancel_work_sync() and the strparser work handler takes the socket lock.

Risk And Classification

Primary CVSS: v3.1 7.5 HIGH from 416baaa9-dc9f-4396-8d5f-8c081fb06d67

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

EPSS: 0.005060000 probability, percentile 0.393940000 (date 2026-06-29)

VersionSourceTypeScoreSeverityVector
3.1416baaa9-dc9f-4396-8d5f-8c081fb06d67Secondary7.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
3.1CNADECLARED7.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CVSS v3.1 Breakdown

Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Vendor Declared Affected Products

SourceVendorProductVersionPlatforms
CNA Linux Linux affected 84c61fe1a75b4255df1e1e7c054c9e6d048da417 0c9f399b37ce22a5ed94cc51f03ed07ac7f38e32 git Not specified
CNA Linux Linux affected 84c61fe1a75b4255df1e1e7c054c9e6d048da417 688f12aa44511dd57e448eb670075c6302ad1dc1 git Not specified
CNA Linux Linux affected 84c61fe1a75b4255df1e1e7c054c9e6d048da417 3c405dfa9619e506e75b8e41f8b29a5b99731877 git Not specified
CNA Linux Linux affected 84c61fe1a75b4255df1e1e7c054c9e6d048da417 9c54e76f8d6eb11735918777ef0e0509e089557d git Not specified
CNA Linux Linux affected 84c61fe1a75b4255df1e1e7c054c9e6d048da417 bd07fe6c38b9e44ff3fc02692a53f095c5cc9afc git Not specified
CNA Linux Linux affected 84c61fe1a75b4255df1e1e7c054c9e6d048da417 58689498ca3384851145a754dbb1d8ed1cf9fb54 git Not specified
CNA Linux Linux affected 6.0 Not specified
CNA Linux Linux unaffected 6.0 semver Not specified
CNA Linux Linux unaffected 6.1.175 6.1.* semver Not specified
CNA Linux Linux unaffected 6.6.141 6.6.* semver Not specified
CNA Linux Linux unaffected 6.12.91 6.12.* semver Not specified
CNA Linux Linux unaffected 6.18.33 6.18.* semver Not specified
CNA Linux Linux unaffected 7.0.10 7.0.* semver Not specified
CNA Linux Linux unaffected 7.1 * original_commit_for_fix Not specified

References

ReferenceSourceLinkTags
git.kernel.org/stable/c/0c9f399b37ce22a5ed94cc51f03ed07ac7f38e32 416baaa9-dc9f-4396-8d5f-8c081fb06d67 git.kernel.org
git.kernel.org/stable/c/3c405dfa9619e506e75b8e41f8b29a5b99731877 416baaa9-dc9f-4396-8d5f-8c081fb06d67 git.kernel.org
git.kernel.org/stable/c/688f12aa44511dd57e448eb670075c6302ad1dc1 416baaa9-dc9f-4396-8d5f-8c081fb06d67 git.kernel.org
git.kernel.org/stable/c/9c54e76f8d6eb11735918777ef0e0509e089557d 416baaa9-dc9f-4396-8d5f-8c081fb06d67 git.kernel.org
git.kernel.org/stable/c/58689498ca3384851145a754dbb1d8ed1cf9fb54 416baaa9-dc9f-4396-8d5f-8c081fb06d67 git.kernel.org
git.kernel.org/stable/c/bd07fe6c38b9e44ff3fc02692a53f095c5cc9afc 416baaa9-dc9f-4396-8d5f-8c081fb06d67 git.kernel.org
CVE Program record CVE.ORG www.cve.org canonical
NVD vulnerability detail NVD nvd.nist.gov canonical, analysis
© CVE.report 2026 |

Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.

CVE, CWE, and OVAL are registred trademarks of The MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. This site includes MITRE data granted under the following license.

Free CVE JSON API cve.report/api

CVE.report and Source URL Uptime Status status.cve.report