Description
In the Linux kernel, the following vulnerability has been resolved:

tls: Purge async_hold in tls_decrypt_async_wait()

The async_hold queue pins encrypted input skbs while
the AEAD engine references their scatterlist data. Once
tls_decrypt_async_wait() returns, every AEAD operation
has completed and the engine no longer references those
skbs, so they can be freed unconditionally.

A subsequent patch adds batch async decryption to
tls_sw_read_sock(), introducing a new call site that
must drain pending AEAD operations and release held
skbs. Move __skb_queue_purge(&ctx->async_hold) into
tls_decrypt_async_wait() so the purge is centralized
and every caller -- recvmsg's drain path, the -EBUSY
fallback in tls_do_decryption(), and the new read_sock
batch path -- releases held skbs on synchronization
without each site managing the purge independently.

This fixes a leak when tls_strp_msg_hold() fails part-way through,
after having added some cloned skbs to the async_hold
queue. tls_decrypt_sg() will then call tls_decrypt_async_wait() to
process all pending decrypts, and drop back to synchronous mode, but
tls_sw_recvmsg() only flushes the async_hold queue when one record has
been processed in "fully-async" mode, which may not be the case here.

[pabeni@redhat.com: added leak comment]
Published: 2026-04-02
Score: 5.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Memory Leak causing Resource Exhaustion
Action: Apply Patch
AI Analysis

Impact

A flaw in the Linux kernel’s TLS asynchronous decryption flow left encrypted socket buffers queued in an async_hold list that were never released after decryption completed. This unused memory is leaked into the kernel heap, potentially allowing an attacker or network client to grow large numbers of buffers and exhaust kernel memory, leading to degraded performance or system failure. The weakness is classified as CWE-911: Insufficient Resource Monitoring and Control.

Affected Systems

All systems running any Linux kernel that incorporates the affected TLS code paths are vulnerable. The CVE does not provide a specific affected-version range, so all kernel releases before the backported patch implementing the purge of the async_hold queue may be impacted. This includes mainstream distributions that have shipped kernels before the recent security updates.

Risk and Exploitability

The CVSS score of 7.0 indicates a moderate-to-high severity, while the EPSS score being less than 1 % suggests a low likelihood of exploitation. The vulnerability is not listed in the CISA KEV catalog. Based on the description, it is inferred that an attacker would need to generate TLS traffic that triggers a partial decryption failure, causing the async_hold queue to accumulate unreleased socket buffers. Once the heap memory is exhausted, the kernel could reject further allocations or crash, creating a denial‑of‑service condition. The attack vector is likely network‑based, and requires continuous TLS communication to reach the resource exhaustion threshold.

Generated by OpenCVE AI on April 3, 2026 at 03:52 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Linux kernel to a release that contains the async_hold purge patch.
  • If a kernel upgrade is not possible immediately, look for vendor‑issued temporary mitigations or disable the affected TLS decryption path where feasible.
  • Check your distribution’s security advisories for relevant updates and apply them as soon as available.
  • Monitor kernel memory usage for unexpected growth that may indicate the resource leak.

Generated by OpenCVE AI on April 3, 2026 at 03:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 24 Apr 2026 15:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-401
CPEs cpe:2.3:o:linux:linux_kernel:6.18:-:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc5:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc6:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc7:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

 cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

Sat, 11 Apr 2026 13:00:00 +0000

Type Values Removed Values Added
References

Fri, 03 Apr 2026 01:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-911
References
Metrics threat_severity

None

 cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

threat_severity

Moderate

Thu, 02 Apr 2026 12:00:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: tls: Purge async_hold in tls_decrypt_async_wait() The async_hold queue pins encrypted input skbs while the AEAD engine references their scatterlist data. Once tls_decrypt_async_wait() returns, every AEAD operation has completed and the engine no longer references those skbs, so they can be freed unconditionally. A subsequent patch adds batch async decryption to tls_sw_read_sock(), introducing a new call site that must drain pending AEAD operations and release held skbs. Move __skb_queue_purge(&ctx->async_hold) into tls_decrypt_async_wait() so the purge is centralized and every caller -- recvmsg's drain path, the -EBUSY fallback in tls_do_decryption(), and the new read_sock batch path -- releases held skbs on synchronization without each site managing the purge independently. This fixes a leak when tls_strp_msg_hold() fails part-way through, after having added some cloned skbs to the async_hold queue. tls_decrypt_sg() will then call tls_decrypt_async_wait() to process all pending decrypts, and drop back to synchronous mode, but tls_sw_recvmsg() only flushes the async_hold queue when one record has been processed in "fully-async" mode, which may not be the case here. [pabeni@redhat.com: added leak comment]
Title tls: Purge async_hold in tls_decrypt_async_wait()
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-04-13T06:06:58.358Z

Reserved: 2026-01-13T15:37:46.014Z

Link: CVE-2026-23414

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Analyzed

Published: 2026-04-02T12:16:20.633

Modified: 2026-04-24T15:22:43.073

Link: CVE-2026-23414

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-04-02T00:00:00Z

Links: CVE-2026-23414 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-03T09:18:54Z

Weaknesses