CVE-2025-38471
Description
In the Linux kernel, the following vulnerability has been resolved:
tls: always refresh the queue when reading sock
After recent changes in net-next TCP compacts skbs much more aggressively. This unearthed a bug in TLS where we may try to operate on an old skb when checking if all skbs in the queue have matching decrypt state and geometry.
BUG: KASAN: slab-use-after-free in tls_strp_check_rcv+0x898/0x9a0 [tls] (net/tls/tls_strp.c:436 net/tls/tls_strp.c:530 net/tls/tls_strp.c:544) Read of size 4 at addr ffff888013085750 by task tls/13529
CPU: 2 UID: 0 PID: 13529 Comm: tls Not tainted 6.16.0-rc5-virtme Call Trace: kasan_report+0xca/0x100 tls_strp_check_rcv+0x898/0x9a0 [tls] tls_rx_rec_wait+0x2c9/0x8d0 [tls] tls_sw_recvmsg+0x40f/0x1aa0 [tls] inet_recvmsg+0x1c3/0x1f0
Always reload the queue, fast path is to have the record in the queue when we wake, anyway (IOW the path going down "if !strp->stm.full_len").
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
In the Linux kernel, aggressive TCP skb compaction exposed a use-after-free bug in TLS where an old skb could be accessed during receive processing.
Vulnerability
The Linux kernel's TLS subsystem contains a use-after-free vulnerability in tls_strp_check_rcv. When the TCP stack aggressively compacts skbs (a change recently introduced in net-next), the TLS receive path may hold a stale reference to a freed skb while checking decrypt state and geometry. This triggers a KASAN slab-use-after-free read access during tls_strp_check_rcv and subsequent receive operations [1].
Exploitation
An attacker must be able to send TLS traffic to the target system, triggering the race condition between skb compaction in TCP and the TLS record parsing. No special privileges are required beyond network access to send data to an TLS socket. The bug manifests when the socket is read via tls_sw_recvmsg, which calls tls_rx_rec_wait and then tls_strp_check_rcv [1].
Impact
A successful exploit could allow an unauthenticated remote attacker to cause a kernel crash (denial of service) or potentially achieve arbitrary code execution in kernel context, given the use-after-free condition permits out-of-bounds access [1].
Mitigation
The fix ensures the socket buffer queue is always refreshed before operating on any skb, so that a stale reference is never used. Patches have been incorporated into the stable kernel tree [2][3][4]. Siemens has also identified affected products (e.g., SIMATIC S7-1500 CPU family) and recommends applying the provided updates [1].
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Linux/Linuxv5Range: 6.1
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
7- git.kernel.org/stable/c/1f3a429c21e0e43e8b8c55d30701e91411a4df02nvdPatch
- git.kernel.org/stable/c/4ab26bce3969f8fd925fe6f6f551e4d1a508c68bnvdPatch
- git.kernel.org/stable/c/730fed2ff5e259495712518e18d9f521f61972bbnvdPatch
- git.kernel.org/stable/c/c76f6f437c46b2390888e0e1dc7aafafa9f4e0c6nvdPatch
- git.kernel.org/stable/c/cdb767915fc9a15d88d19d52a1455f1dc3e5ddc8nvdPatch
- lists.debian.org/debian-lts-announce/2025/10/msg00008.htmlnvdThird Party Advisory
- cert-portal.siemens.com/productcert/html/ssa-082556.htmlnvd
News mentions
0No linked articles in our index yet.