Skip to main content

Linux Kernel CVE-2026-52974

| EUVDEUVD-2026-38842 HIGH
Memory Leak (CWE-401)
2026-06-24 Linux GHSA-5jx6-m427-9p5p
7.5
CVSS 3.1 · Vendor: Linux
Share

Severity by source

Vendor (Linux) PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
vuln.today AI
4.7 MEDIUM

Triggering requires local socket setup of kTLS RX offload (AV:L, PR:L) on specific offload hardware and forcing a driver failure (AC:H); impact is memory-exhaustion availability only (A:H, C:N, I:N).

3.1 AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H
4.0 AV:L/AC:H/AT:P/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (Linux).

CVSS VectorVendor: Linux

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

5
Analysis Generated
Jun 28, 2026 - 08:38 vuln.today
CVSS changed
Jun 28, 2026 - 08:22 NVD
7.5 (HIGH)
Patch available
Jun 24, 2026 - 18:02 EUVD
CVE Published
Jun 24, 2026 - 16:28 cve.org
HIGH 7.5
CVE Published
Jun 24, 2026 - 16:28 cve.org
UNKNOWN (no severity yet)

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

net: tls: fix strparser anchor skb leak on offload RX setup failure

When tls_set_device_offload_rx() fails at tls_dev_add(), the error path calls tls_sw_free_resources_rx() to clean up the SW context that was initialized by tls_set_sw_offload(). This function calls tls_sw_release_resources_rx() (which stops the strparser via tls_strp_stop()) and tls_sw_free_ctx_rx() (which kfrees the context), but never frees the anchor skb that was allocated by alloc_skb(0) in tls_strp_init().

Note that tls_sw_free_resources_rx() is exclusively used for this "failed to start offload" code path, there's no other caller.

The leak did not exist before commit 84c61fe1a75b ("tls: rx: do not use the standard strparser"), because the standard strparser doesn't try to pre-allocate an skb.

The normal close path in tls_sk_proto_close() handles cleanup by calling tls_sw_strparser_done() (which calls tls_strp_done()) after dropping the socket lock, because tls_strp_done() does cancel_work_sync() and the strparser work handler takes the socket lock.

AnalysisAI

Memory exhaustion (denial of service) in the Linux kernel's TLS device-offload receive path, where a failure during hardware offload setup leaks the strparser anchor socket buffer (skb) and never frees it. Affecting kernels from the introduction of the custom strparser (commit 84c61fe1a75b) onward, repeated triggering of the offload setup-failure path slowly drains kernel memory; CVSS rates availability impact High (7.5) but EPSS is low (0.18%, 8th percentile) and there is no public exploit identified at time of analysis. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain local socket access on offload host
Delivery
Enable kTLS RX hardware offload on socket
Exploit
Force tls_dev_add() setup failure
Execution
Leak anchor skb via cleanup path
Persist
Repeat to exhaust kernel memory
Impact
Denial of service

Vulnerability AssessmentAI

Exploitation Exploitation requires the target to use kernel TLS receive-side hardware offload - i.e., a socket configured via setsockopt for TLS_RX on a NIC that supports inline kTLS offload - and the driver's tls_dev_add() call must fail, which is the only path that invokes the leaky tls_sw_free_resources_rx() cleanup. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Signals conflict in a way defenders should weigh carefully. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A local, low-privileged process on a host with a TLS-offload-capable NIC repeatedly opens sockets, enables kTLS RX hardware offload, and drives the driver's tls_dev_add() into its failure path (for example by exhausting offload contexts), leaking one anchor skb per failed attempt. Sustained over time this slowly exhausts kernel memory and can degrade or crash the host. …
Remediation Vendor-released patch: upgrade to a fixed stable kernel - 6.1.175, 6.6.141, 6.12.91, 6.18.33, 7.0.10, or 7.1 (or later within each branch), corresponding to stable commits 9c54e76f8d6e, 688f12aa4451, 0c9f399b37ce, bd07fe6c38b9, 3c405dfa9619, and 58689498ca33 (https://git.kernel.org/stable/c/9c54e76f8d6eb11735918777ef0e0509e089557d and siblings). … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Determine which Linux systems use TLS hardware offload features. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-52974 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy