Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Triggering requires local socket setup of kTLS RX offload (AV:L, PR:L) on specific offload hardware and forcing a driver failure (AC:H); impact is memory-exhaustion availability only (A:H, C:N, I:N).
Primary rating from Vendor (Linux).
CVSS VectorVendor: Linux
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
5DescriptionCVE.org
In the Linux kernel, the following vulnerability has been resolved:
net: tls: fix strparser anchor skb leak on offload RX setup failure
When tls_set_device_offload_rx() fails at tls_dev_add(), the error path calls tls_sw_free_resources_rx() to clean up the SW context that was initialized by tls_set_sw_offload(). This function calls tls_sw_release_resources_rx() (which stops the strparser via tls_strp_stop()) and tls_sw_free_ctx_rx() (which kfrees the context), but never frees the anchor skb that was allocated by alloc_skb(0) in tls_strp_init().
Note that tls_sw_free_resources_rx() is exclusively used for this "failed to start offload" code path, there's no other caller.
The leak did not exist before commit 84c61fe1a75b ("tls: rx: do not use the standard strparser"), because the standard strparser doesn't try to pre-allocate an skb.
The normal close path in tls_sk_proto_close() handles cleanup by calling tls_sw_strparser_done() (which calls tls_strp_done()) after dropping the socket lock, because tls_strp_done() does cancel_work_sync() and the strparser work handler takes the socket lock.
AnalysisAI
Memory exhaustion (denial of service) in the Linux kernel's TLS device-offload receive path, where a failure during hardware offload setup leaks the strparser anchor socket buffer (skb) and never frees it. Affecting kernels from the introduction of the custom strparser (commit 84c61fe1a75b) onward, repeated triggering of the offload setup-failure path slowly drains kernel memory; CVSS rates availability impact High (7.5) but EPSS is low (0.18%, 8th percentile) and there is no public exploit identified at time of analysis. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires the target to use kernel TLS receive-side hardware offload - i.e., a socket configured via setsockopt for TLS_RX on a NIC that supports inline kTLS offload - and the driver's tls_dev_add() call must fail, which is the only path that invokes the leaky tls_sw_free_resources_rx() cleanup. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | Signals conflict in a way defenders should weigh carefully. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | A local, low-privileged process on a host with a TLS-offload-capable NIC repeatedly opens sockets, enables kTLS RX hardware offload, and drives the driver's tls_dev_add() into its failure path (for example by exhausting offload contexts), leaking one anchor skb per failed attempt. Sustained over time this slowly exhausts kernel memory and can degrade or crash the host. … |
| Remediation | Vendor-released patch: upgrade to a fixed stable kernel - 6.1.175, 6.6.141, 6.12.91, 6.18.33, 7.0.10, or 7.1 (or later within each branch), corresponding to stable commits 9c54e76f8d6e, 688f12aa4451, 0c9f399b37ce, bd07fe6c38b9, 3c405dfa9619, and 58689498ca33 (https://git.kernel.org/stable/c/9c54e76f8d6eb11735918777ef0e0509e089557d and siblings). … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Determine which Linux systems use TLS hardware offload features. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-401 – Memory Leak
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-38842
GHSA-5jx6-m427-9p5p