VYPR
← All advisories
High severity7.1NVD Advisory· Published Sep 5, 2025· Updated May 12, 2026

CVE-2025-39682

CVE-2025-39682

Description

In the Linux kernel, the following vulnerability has been resolved:

tls: fix handling of zero-length records on the rx_list

Each recvmsg() call must process either - only contiguous DATA records (any number of them) - one non-DATA record

If the next record has different type than what has already been processed we break out of the main processing loop. If the record has already been decrypted (which may be the case for TLS 1.3 where we don't know type until decryption) we queue the pending record to the rx_list. Next recvmsg() will pick it up from there.

Queuing the skb to rx_list after zero-copy decrypt is not possible, since in that case we decrypted directly to the user space buffer, and we don't have an skb to queue (darg.skb points to the ciphertext skb for access to metadata like length).

Only data records are allowed zero-copy, and we break the processing loop after each non-data record. So we should never zero-copy and then find out that the record type has changed. The corner case we missed is when the initial record comes from rx_list, and it's zero length.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Linux kernel TLS subsystem mishandles zero-length records on rx_list, leading to a use-after-free during recvmsg().

Vulnerability

Description

In the Linux kernel's TLS implementation, a flaw exists in how zero-length records are handled when they arrive on the rx_list. Each recvmsg() call is designed to process either contiguous DATA records or a single non-DATA record. If the next record's type differs from what has already been processed, the kernel breaks out of the main processing loop. For TLS 1.3, where the record type is unknown until decryption, a decrypted record may be queued to rx_list for the next recvmsg(). However, queuing an skb after zero-copy decryption is impossible because zero-copy decrypts directly into user space, leaving no skb to queue (only a ciphertext skb for metadata). Only DATA records are eligible for zero-copy, and the loop breaks after each non-DATA record, so zero-copy should never occur with a type change. The missed corner case is when the initial record comes from rx_list and is zero-length, leading to an attempt to queue a non-existent skb and resulting in a use-after-free condition.

Exploitation

Scenario

An attacker with the ability to send crafted TLS records to a vulnerable system could trigger this bug. The attack requires the ability to establish a TLS connection and inject a zero-length record that is placed on the rx_list. No special privileges are needed beyond network access to the TLS endpoint. The vulnerability is triggered during the recvmsg() system call when the kernel processes the zero-length record from rx_list.

Impact

Successful exploitation could lead to a use-after-free, potentially allowing an attacker to corrupt kernel memory. This may result in a denial of service (system crash) or, in more severe cases, arbitrary code execution in the kernel context. The CVSS v3 score is 7.1 (High), reflecting the potential for significant impact on confidentiality, integrity, and availability.

Mitigation

The Linux kernel has released patches for this vulnerability, as seen in stable kernel commits [2]. Users should update their kernels to the latest stable versions that include the fix. Additionally, Siemens has identified this CVE as affecting SIMATIC CN 4100 devices (all versions < V5.0) and recommends updating to V5.0 or later [1]. No workarounds are currently available; applying the kernel patch is the recommended course of action.

References
  1. SSA-032379
  2. Making sure you're not a bot!

AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

2

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

7

News mentions

1