Skip to main content

Linux EUVDEUVD-2026-18195

| CVE-2026-23414 MEDIUM
Memory Leak (CWE-401)
2026-04-02 Linux GHSA-8fgp-q3pf-q3rh
5.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
SUSE
5.2 MEDIUM
qualitative
Red Hat
5.5 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

10
Severity Changed
Jul 14, 2026 - 13:22 NVD
HIGH MEDIUM
CVSS changed
Jul 14, 2026 - 13:22 NVD
7.5 (HIGH) 5.5 (MEDIUM)
Re-analysis Queued
Apr 27, 2026 - 14:22 vuln.today
cvss_changed
Severity Changed
Apr 27, 2026 - 14:22 NVD
MEDIUM HIGH
CVSS changed
Apr 27, 2026 - 14:22 NVD
5.5 (MEDIUM) 7.5 (HIGH)
CVSS changed
Apr 24, 2026 - 15:37 NVD
5.5 (MEDIUM)
Patch released
Apr 02, 2026 - 14:30 nvd
Patch available
EUVD ID Assigned
Apr 02, 2026 - 12:00 euvd
EUVD-2026-18195
Analysis Generated
Apr 02, 2026 - 12:00 vuln.today
CVE Published
Apr 02, 2026 - 11:40 nvd
N/A

DescriptionNVD

In the Linux kernel, the following vulnerability has been resolved:

tls: Purge async_hold in tls_decrypt_async_wait()

The async_hold queue pins encrypted input skbs while the AEAD engine references their scatterlist data. Once tls_decrypt_async_wait() returns, every AEAD operation has completed and the engine no longer references those skbs, so they can be freed unconditionally.

A subsequent patch adds batch async decryption to tls_sw_read_sock(), introducing a new call site that must drain pending AEAD operations and release held skbs. Move __skb_queue_purge(&ctx->async_hold) into tls_decrypt_async_wait() so the purge is centralized and every caller -- recvmsg's drain path, the -EBUSY fallback in tls_do_decryption(), and the new read_sock batch path -- releases held skbs on synchronization without each site managing the purge independently.

This fixes a leak when tls_strp_msg_hold() fails part-way through, after having added some cloned skbs to the async_hold queue. tls_decrypt_sg() will then call tls_decrypt_async_wait() to process all pending decrypts, and drop back to synchronous mode, but tls_sw_recvmsg() only flushes the async_hold queue when one record has been processed in "fully-async" mode, which may not be the case here.

[pabeni@redhat.com: added leak comment]

AnalysisAI

Linux kernel TLS subsystem leaks socket buffers (skbs) when asynchronous AEAD decryption operations fail during batch processing, allowing local attackers to exhaust kernel memory and potentially cause denial of service. The vulnerability exists in tls_decrypt_async_wait() and related functions that manage the async_hold queue, which pins encrypted input buffers for AEAD engine references; improper cleanup in failure paths leaves these buffers allocated indefinitely. This is a kernel memory leak affecting TLS decryption in the kernel's cryptographic stack, confirmed by multiple upstream patches across stable branches.

Technical ContextAI

The Linux kernel's TLS subsystem (tls_sw.c and related modules) implements Transport Layer Security decryption using asynchronous AEAD (Authenticated Encryption with Associated Data) cipher engines. The async_hold queue is a socket buffer queue that pins skbs while the hardware or software AEAD engine holds references to their scatterlist data structures. When tls_decrypt_async_wait() completes, all AEAD operations finish and the engine releases those buffer references, allowing safe deallocation. However, the code had a logic flaw: when tls_strp_msg_hold() fails partway through adding cloned skbs to async_hold, the subsequent call to tls_decrypt_async_wait() processes pending decrypts and drops to synchronous mode, but tls_sw_recvmsg() only purges the async_hold queue after a fully-async record completes. This conditional purge is insufficient for error paths, leaving allocated skbs in the queue. The root cause is lack of centralized cleanup in the synchronization function itself, violating the principle that whoever waits for async operations should also release the resources those operations pinned.

RemediationAI

Apply the upstream kernel patch that centralizes async_hold queue purging within tls_decrypt_async_wait(), as committed to the Linux kernel stable branches. The fix is available via git commits 2dcf324855c34e7f934ce978aa19b645a8f3ee71, 6dc11e0bd0a5466bcc76d275c09e5537bd0597dd, 9f557c7eae127b44d2e863917dc986a4b6cb1269, fd8037e1f18ca5336934d0e0e7e1a4fe097e749d, and 84a8335d8300576f1b377ae24abca1d9f197807f across stable kernel branches. Distributions should backport this patch to their kernel packages and release updated kernels; users should update to the next stable kernel release containing this fix. No workaround is available for this kernel-level issue; mitigation requires patching the kernel source and recompiling or updating to a patched kernel package from the distribution vendor. See https://git.kernel.org/stable/ for commit details and patch availability.

Vendor StatusVendor

Debian

linux
Release Status Fixed Version Urgency
bullseye not-affected - -
bullseye (security) fixed 5.10.251-1 -
bookworm vulnerable 6.1.159-1 -
bookworm (security) vulnerable 6.1.164-1 -
trixie vulnerable 6.12.73-1 -
trixie (security) vulnerable 6.12.74-2 -
forky, sid vulnerable 6.19.10-1 -
(unstable) fixed (unfixed) -

SUSE

Severity: Medium
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

EUVD-2026-18195 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy