Description
In the Linux kernel, the following vulnerability has been resolved:

tls: make sure to abort the stream if headers are bogus

Normally we wait for the socket to buffer up the whole record
before we service it. If the socket has a tiny buffer, however,
we read out the data sooner, to prevent connection stalls.
Make sure that we abort the connection when we find out late
that the record is actually invalid. Retrying the parsing is
fine in itself but since we copy some more data each time
before we parse we can overflow the allocated skb space.

Constructing a scenario in which we're under pressure without
enough data in the socket to parse the length upfront is quite
hard. syzbot figured out a way to do this by serving us the header
in small OOB sends, and then filling in the recvbuf with a large
normal send.

Make sure that tls_rx_msg_size() aborts strp, if we reach
an invalid record there's really no way to recover.
Published: 2025-10-04
Score: 9.8 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Remote code execution
Action: Immediate Patch
AI Analysis

Impact

The vulnerability occurs when the Linux kernel fails to abort a TLS connection after detecting an invalid record late in the parsing process. The code reads data from the socket before fully verifying the record length, which allows a crafted header to overflow the socket buffer space allocated for the packet. This overflow can corrupt kernel memory and potentially let an attacker execute arbitrary code, thereby compromising confidentiality, integrity and availability of the affected system.

Affected Systems

The bug impacts Linux kernel versions 6.17 release candidate 1 through release candidate 6. No other vendor products are mentioned in the listings. The kernel’s TLS subsystem code is the relevant component.

Risk and Exploitability

The CVSS score of 9.8 signals a critical severity, yet the EPSS score of less than 1% indicates a low probability of exploitation in the wild. Attackers would need to send an out‑of‑band TLS header followed by a larger normal send to trigger the bug, which is complex but feasible. The vulnerability is not yet listed in the CISA KEV catalog. Given the high impact and confirmed kernel code path, a proactive mitigation is warranted.

Generated by OpenCVE AI on April 27, 2026 at 23:45 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Linux kernel to a patched release such as 6.17 stable or a newer version that contains the fix for CVE‑2025‑39946.
  • If an immediate kernel upgrade is not possible, apply the specific backport patch from the Linux kernel mailing list or your distribution’s security advisory to block the vulnerable code path.
  • Implement network filtering or firewall rules to restrict untrusted TLS traffic, thereby reducing the likelihood that malformed records reach the kernel before the patch can be applied.

Generated by OpenCVE AI on April 27, 2026 at 23:45 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DLA Debian DLA DLA-4379-1 linux-6.1 security update
Debian DSA Debian DSA DSA-6053-1 linux security update
EUVD EUVD EUVD-2025-32391 In the Linux kernel, the following vulnerability has been resolved: tls: make sure to abort the stream if headers are bogus Normally we wait for the socket to buffer up the whole record before we service it. If the socket has a tiny buffer, however, we read out the data sooner, to prevent connection stalls. Make sure that we abort the connection when we find out late that the record is actually invalid. Retrying the parsing is fine in itself but since we copy some more data each time before we parse we can overflow the allocated skb space. Constructing a scenario in which we're under pressure without enough data in the socket to parse the length upfront is quite hard. syzbot figured out a way to do this by serving us the header in small OOB sends, and then filling in the recvbuf with a large normal send. Make sure that tls_rx_msg_size() aborts strp, if we reach an invalid record there's really no way to recover.
Ubuntu USN Ubuntu USN USN-7921-1 Linux kernel vulnerabilities
Ubuntu USN Ubuntu USN USN-7934-1 Linux kernel (Azure) vulnerabilities
Ubuntu USN Ubuntu USN USN-7936-1 Linux kernel (OEM) vulnerabilities
Ubuntu USN Ubuntu USN USN-7921-2 Linux kernel (Real-time) vulnerabilities
Ubuntu USN Ubuntu USN USN-8028-1 Linux kernel vulnerabilities
Ubuntu USN Ubuntu USN USN-8028-2 Linux kernel (Real-time) vulnerabilities
Ubuntu USN Ubuntu USN USN-8031-1 Linux kernel (GCP) vulnerabilities
Ubuntu USN Ubuntu USN USN-8028-3 Linux kernel (Real-time) vulnerabilities
Ubuntu USN Ubuntu USN USN-8028-4 Linux kernel (FIPS) vulnerabilities
Ubuntu USN Ubuntu USN USN-8028-5 Linux kernel vulnerabilities
Ubuntu USN Ubuntu USN USN-8031-2 Linux kernel (GCP FIPS) vulnerabilities
Ubuntu USN Ubuntu USN USN-8028-6 Linux kernel (HWE) vulnerabilities
Ubuntu USN Ubuntu USN USN-8031-3 Linux kernel vulnerabilities
Ubuntu USN Ubuntu USN USN-8052-1 Linux kernel (Low Latency) vulnerabilities
Ubuntu USN Ubuntu USN USN-8028-7 Linux kernel (Low Latency NVIDIA) vulnerabilities
Ubuntu USN Ubuntu USN USN-8028-8 Linux kernel (IBM) vulnerabilities
Ubuntu USN Ubuntu USN USN-8052-2 Linux kernel (Xilinx) vulnerabilities
Ubuntu USN Ubuntu USN USN-8074-1 Linux kernel (Azure) vulnerabilities
Ubuntu USN Ubuntu USN USN-8074-2 Linux kernel (Azure FIPS) vulnerabilities
Ubuntu USN Ubuntu USN USN-8126-1 Linux kernel (Azure) vulnerabilities
History

Thu, 02 Apr 2026 09:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

 cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Tue, 27 Jan 2026 20:00:00 +0000

Type Values Removed Values Added
Weaknesses NVD-CWE-noinfo
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.17:rc1:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.17:rc2:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.17:rc3:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.17:rc4:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.17:rc5:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.17:rc6:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

 cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

Mon, 06 Oct 2025 22:45:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

threat_severity

Important

Mon, 06 Oct 2025 14:45:00 +0000

Type Values Removed Values Added
First Time appeared Linux
Linux linux Kernel
Vendors & Products Linux
Linux linux Kernel

Sat, 04 Oct 2025 07:45:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: tls: make sure to abort the stream if headers are bogus Normally we wait for the socket to buffer up the whole record before we service it. If the socket has a tiny buffer, however, we read out the data sooner, to prevent connection stalls. Make sure that we abort the connection when we find out late that the record is actually invalid. Retrying the parsing is fine in itself but since we copy some more data each time before we parse we can overflow the allocated skb space. Constructing a scenario in which we're under pressure without enough data in the socket to parse the length upfront is quite hard. syzbot figured out a way to do this by serving us the header in small OOB sends, and then filling in the recvbuf with a large normal send. Make sure that tls_rx_msg_size() aborts strp, if we reach an invalid record there's really no way to recover.
Title tls: make sure to abort the stream if headers are bogus
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-05-11T21:39:28.960Z

Reserved: 2025-04-16T07:20:57.148Z

Link: CVE-2025-39946

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Analyzed

Published: 2025-10-04T08:15:47.747

Modified: 2026-04-06T13:30:51.763

Link: CVE-2025-39946

cve-icon Redhat

Severity : Important

Publid Date: 2025-10-04T00:00:00Z

Links: CVE-2025-39946 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T00:00:18Z

Weaknesses