net: tls: fix strparser anchor skb leak on offload RX...

7.5 / 10

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Description

In the Linux kernel, the following vulnerability has been resolved:

net: tls: fix strparser anchor skb leak on offload RX setup failure

When tls_set_device_offload_rx() fails at tls_dev_add(), the error path
calls tls_sw_free_resources_rx() to clean up the SW context that was
initialized by tls_set_sw_offload(). This function calls
tls_sw_release_resources_rx() (which stops the strparser via
tls_strp_stop()) and tls_sw_free_ctx_rx() (which kfrees the context),
but never frees the anchor skb that was allocated by alloc_skb(0) in
tls_strp_init().

Note that tls_sw_free_resources_rx() is exclusively used for this
"failed to start offload" code path, there's no other caller.

The leak did not exist before commit 84c61fe1a75b ("tls: rx: do not use
the standard strparser"), because the standard strparser doesn't try
to pre-allocate an skb.

The normal close path in tls_sk_proto_close() handles cleanup by calling
tls_sw_strparser_done() (which calls tls_strp_done()) after dropping
the socket lock, because tls_strp_done() does cancel_work_sync() and
the strparser work handler takes the socket lock.

Basic Information

ID CVE-2026-52974

Source Linux

Published Jun 24, 2026 at 16:28

Modified Jun 28, 2026 at 06:37

Affected Product

Vendor Linux

Product Linux

Version 84c61fe1a75b4255df1e1e7c054c9e6d048da417

Affected Versions Linux Linux 84c61fe1a75b4255df1e1e7c054c9e6d048da417
Linux Linux 84c61fe1a75b4255df1e1e7c054c9e6d048da417
Linux Linux 84c61fe1a75b4255df1e1e7c054c9e6d048da417
Linux Linux 84c61fe1a75b4255df1e1e7c054c9e6d048da417
Linux Linux 84c61fe1a75b4255df1e1e7c054c9e6d048da417
Linux Linux 84c61fe1a75b4255df1e1e7c054c9e6d048da417
Linux Linux 6.0

References

{
    "lastseen": "",
    "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: tls: fix strparser anchor skb leak on offload RX setup failure\n\nWhen tls_set_device_offload_rx() fails at tls_dev_add(), the error path\ncalls tls_sw_free_resources_rx() to clean up the SW context that was\ninitialized by tls_set_sw_offload(). This function calls\ntls_sw_release_resources_rx() (which stops the strparser via\ntls_strp_stop()) and tls_sw_free_ctx_rx() (which kfrees the context),\nbut never frees the anchor skb that was allocated by alloc_skb(0) in\ntls_strp_init().\n\nNote that tls_sw_free_resources_rx() is exclusively used for this\n\"failed to start offload\" code path, there's no other caller.\n\nThe leak did not exist before commit 84c61fe1a75b (\"tls: rx: do not use\nthe standard strparser\"), because the standard strparser doesn't try\nto pre-allocate an skb.\n\nThe normal close path in tls_sk_proto_close() handles cleanup by calling\ntls_sw_strparser_done() (which calls tls_strp_done()) after dropping\nthe socket lock, because tls_strp_done() does cancel_work_sync() and\nthe strparser work handler takes the socket lock.",
    "published": "2026-06-24T16:28:51.826Z",
    "modified": "2026-06-28T06:37:28.883Z",
    "type": "cve",
    "title": "net: tls: fix strparser anchor skb leak on offload RX setup failure",
    "source": "Linux",
    "references": "https://git.kernel.org/stable/c/0c9f399b37ce22a5ed94cc51f03ed07ac7f38e32\nhttps://git.kernel.org/stable/c/688f12aa44511dd57e448eb670075c6302ad1dc1\nhttps://git.kernel.org/stable/c/3c405dfa9619e506e75b8e41f8b29a5b99731877\nhttps://git.kernel.org/stable/c/9c54e76f8d6eb11735918777ef0e0509e089557d\nhttps://git.kernel.org/stable/c/bd07fe6c38b9e44ff3fc02692a53f095c5cc9afc\nhttps://git.kernel.org/stable/c/58689498ca3384851145a754dbb1d8ed1cf9fb54",
    "id": "CVE-2026-52974",
    "bulletinFamily": "",
    "cwe": null,
    "cvelist": null,
    "sourceData": "Linux Linux 84c61fe1a75b4255df1e1e7c054c9e6d048da417\nLinux Linux 84c61fe1a75b4255df1e1e7c054c9e6d048da417\nLinux Linux 84c61fe1a75b4255df1e1e7c054c9e6d048da417\nLinux Linux 84c61fe1a75b4255df1e1e7c054c9e6d048da417\nLinux Linux 84c61fe1a75b4255df1e1e7c054c9e6d048da417\nLinux Linux 84c61fe1a75b4255df1e1e7c054c9e6d048da417\nLinux Linux 6.0",
    "sourceHref": "",
    "cvss": {
        "score": 7.5,
        "severity": "HIGH",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "Linux",
    "version": "84c61fe1a75b4255df1e1e7c054c9e6d048da417",
    "vendor": "Linux",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

net: tls: fix strparser anchor skb leak on offload RX setup failure_CVE-2026-52974

Description

Basic Information

Affected Product

References

💭 Join the Security Discussion ❌ Cancel Reply