Description
In the Linux kernel, the following vulnerability has been resolved:

tls: make sure to abort the stream if headers are bogus

Normally we wait for the socket to buffer up the whole record
before we service it. If the socket has a tiny buffer, however,
we read out the data sooner, to prevent connection stalls.
Make sure that we abort the connection when we find out late
that the record is actually invalid. Retrying the parsing is
fine in itself but since we copy some more data each time
before we parse we can overflow the allocated skb space.

Constructing a scenario in which we're under pressure without
enough data in the socket to parse the length upfront is quite
hard. syzbot figured out a way to do this by serving us the header
in small OOB sends, and then filling in the recvbuf with a large
normal send.

Make sure that tls_rx_msg_size() aborts strp, if we reach
an invalid record there's really no way to recover.
Published: 2025-10-04
Score: 9.8 Critical
EPSS: 8.9% Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Linux kernel TLS subsystem can fail to abort a connection after detecting an invalid record late in the parsing process. The code reads data from a socket before fully verifying the record length, which allows a crafted TLS header to cause an overflow of the allocated socket buffer space during parsing. This overflow can corrupt kernel memory; the resulting damage can lead to loss of confidentiality, integrity, or availability, potentially allowing an attacker to execute arbitrary code. The likely attack vector is inferred from the description to require an attacker to send an out‑of‑band TLS header followed by a larger normal send, a complex but feasible scenario.

Affected Systems

The bug impacts Linux kernel versions 6.17 release candidates 1 through 6. No other vendor products are referenced. The affected component is the kernel’s TLS subsystem, which resides in the Linux kernel itself.

Risk and Exploitability

The CVSS score of 9.8 indicates a critical severity. The EPSS score of 9% reflects a moderate probability that the vulnerability will be exploited in the wild, while it is not yet listed in the CISA KEV catalog. For exploitation, an attacker would need to craft a TLS header sent in a small out‑of‑band fragment and then deliver a larger normal packet to trigger the buffer overflow. Given the high impact and the confirmed kernel code path, a proactive mitigation is warranted.

Generated by OpenCVE AI on June 18, 2026 at 17:45 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Linux kernel to a patched release such as 6.17 stable or a newer version that contains the fix for CVE‑2025‑39946.
  • If an immediate kernel upgrade is not possible, apply the specific backport patch from the Linux kernel mailing list or your distribution’s security advisory to block the vulnerable code path.
  • Implement network filtering or firewall rules to restrict untrusted TLS traffic, thereby reducing the likelihood that malformed records reach the kernel before the patch can be applied.

Generated by OpenCVE AI on June 18, 2026 at 17:45 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DLA Debian DLA DLA-4379-1 linux-6.1 security update
Debian DSA Debian DSA DSA-6053-1 linux security update
EUVD EUVD EUVD-2025-32391 In the Linux kernel, the following vulnerability has been resolved: tls: make sure to abort the stream if headers are bogus Normally we wait for the socket to buffer up the whole record before we service it. If the socket has a tiny buffer, however, we read out the data sooner, to prevent connection stalls. Make sure that we abort the connection when we find out late that the record is actually invalid. Retrying the parsing is fine in itself but since we copy some more data each time before we parse we can overflow the allocated skb space. Constructing a scenario in which we're under pressure without enough data in the socket to parse the length upfront is quite hard. syzbot figured out a way to do this by serving us the header in small OOB sends, and then filling in the recvbuf with a large normal send. Make sure that tls_rx_msg_size() aborts strp, if we reach an invalid record there's really no way to recover.
Ubuntu USN Ubuntu USN USN-7921-1 Linux kernel vulnerabilities
Ubuntu USN Ubuntu USN USN-7934-1 Linux kernel (Azure) vulnerabilities
Ubuntu USN Ubuntu USN USN-7936-1 Linux kernel (OEM) vulnerabilities
Ubuntu USN Ubuntu USN USN-7921-2 Linux kernel (Real-time) vulnerabilities
Ubuntu USN Ubuntu USN USN-8028-1 Linux kernel vulnerabilities
Ubuntu USN Ubuntu USN USN-8028-2 Linux kernel (Real-time) vulnerabilities
Ubuntu USN Ubuntu USN USN-8031-1 Linux kernel (GCP) vulnerabilities
Ubuntu USN Ubuntu USN USN-8028-3 Linux kernel (Real-time) vulnerabilities
Ubuntu USN Ubuntu USN USN-8028-4 Linux kernel (FIPS) vulnerabilities
Ubuntu USN Ubuntu USN USN-8028-5 Linux kernel vulnerabilities
Ubuntu USN Ubuntu USN USN-8031-2 Linux kernel (GCP FIPS) vulnerabilities
Ubuntu USN Ubuntu USN USN-8028-6 Linux kernel (HWE) vulnerabilities
Ubuntu USN Ubuntu USN USN-8031-3 Linux kernel vulnerabilities
Ubuntu USN Ubuntu USN USN-8052-1 Linux kernel (Low Latency) vulnerabilities
Ubuntu USN Ubuntu USN USN-8028-7 Linux kernel (Low Latency NVIDIA) vulnerabilities
Ubuntu USN Ubuntu USN USN-8028-8 Linux kernel (IBM) vulnerabilities
Ubuntu USN Ubuntu USN USN-8052-2 Linux kernel (Xilinx) vulnerabilities
Ubuntu USN Ubuntu USN USN-8074-1 Linux kernel (Azure) vulnerabilities
Ubuntu USN Ubuntu USN USN-8074-2 Linux kernel (Azure FIPS) vulnerabilities
Ubuntu USN Ubuntu USN USN-8126-1 Linux kernel (Azure) vulnerabilities
History

Thu, 18 Jun 2026 18:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-119

Thu, 18 Jun 2026 16:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-119

Wed, 17 Jun 2026 05:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-119

Tue, 16 Jun 2026 17:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Thu, 02 Apr 2026 09:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}


Tue, 27 Jan 2026 20:00:00 +0000

Type Values Removed Values Added
Weaknesses NVD-CWE-noinfo
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.17:rc1:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.17:rc2:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.17:rc3:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.17:rc4:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.17:rc5:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.17:rc6:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}


Mon, 06 Oct 2025 22:45:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

threat_severity

Important


Mon, 06 Oct 2025 14:45:00 +0000

Type Values Removed Values Added
First Time appeared Linux
Linux linux Kernel
Vendors & Products Linux
Linux linux Kernel

Sat, 04 Oct 2025 07:45:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: tls: make sure to abort the stream if headers are bogus Normally we wait for the socket to buffer up the whole record before we service it. If the socket has a tiny buffer, however, we read out the data sooner, to prevent connection stalls. Make sure that we abort the connection when we find out late that the record is actually invalid. Retrying the parsing is fine in itself but since we copy some more data each time before we parse we can overflow the allocated skb space. Constructing a scenario in which we're under pressure without enough data in the socket to parse the length upfront is quite hard. syzbot figured out a way to do this by serving us the header in small OOB sends, and then filling in the recvbuf with a large normal send. Make sure that tls_rx_msg_size() aborts strp, if we reach an invalid record there's really no way to recover.
Title tls: make sure to abort the stream if headers are bogus
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-06-16T16:11:14.264Z

Reserved: 2025-04-16T07:20:57.148Z

Link: CVE-2025-39946

cve-icon Vulnrichment

Updated: 2026-06-16T16:11:05.117Z

cve-icon NVD

Status : Analyzed

Published: 2025-10-04T08:15:47.747

Modified: 2026-06-17T09:18:53.247

Link: CVE-2025-39946

cve-icon Redhat

Severity : Important

Publid Date: 2025-10-04T00:00:00Z

Links: CVE-2025-39946 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-18T17:45:13Z

Weaknesses