CVE-2026-52974

NameCVE-2026-52974
DescriptionIn the Linux kernel, the following vulnerability has been resolved: net: tls: fix strparser anchor skb leak on offload RX setup failure When tls_set_device_offload_rx() fails at tls_dev_add(), the error path calls tls_sw_free_resources_rx() to clean up the SW context that was initialized by tls_set_sw_offload(). This function calls tls_sw_release_resources_rx() (which stops the strparser via tls_strp_stop()) and tls_sw_free_ctx_rx() (which kfrees the context), but never frees the anchor skb that was allocated by alloc_skb(0) in tls_strp_init(). Note that tls_sw_free_resources_rx() is exclusively used for this "failed to start offload" code path, there's no other caller. The leak did not exist before commit 84c61fe1a75b ("tls: rx: do not use the standard strparser"), because the standard strparser doesn't try to pre-allocate an skb. The normal close path in tls_sk_proto_close() handles cleanup by calling tls_sw_strparser_done() (which calls tls_strp_done()) after dropping the socket lock, because tls_strp_done() does cancel_work_sync() and the strparser work handler takes the socket lock.
SourceCVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDLA-4665-1, DLA-4671-1

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
linux (PTS)bullseye5.10.223-1fixed
bullseye (security)5.10.259-1fixed
bookworm, bookworm (security)6.1.176-1fixed
trixie6.12.94-1fixed
trixie (security)6.12.95-1fixed
forky, sid7.1.3-1fixed
linux-6.1 (PTS)bullseye (security)6.1.176-1~deb11u1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
linuxsourcebullseye(not affected)
linuxsourcebookworm6.1.176-1DLA-4665-1
linuxsourcetrixie6.12.94-1
linuxsource(unstable)7.0.10-1
linux-6.1sourcebullseye6.1.176-1~deb11u1DLA-4671-1

Notes

[bullseye] - linux <not-affected> (Vulnerable code not present)
https://git.kernel.org/linus/58689498ca3384851145a754dbb1d8ed1cf9fb54 (7.1-rc2)

Search for package or bug name: Reporting problems