Description
In the Linux kernel, the following vulnerability has been resolved:

net: tls: fix strparser anchor skb leak on offload RX setup failure

When tls_set_device_offload_rx() fails at tls_dev_add(), the error path
calls tls_sw_free_resources_rx() to clean up the SW context that was
initialized by tls_set_sw_offload(). This function calls
tls_sw_release_resources_rx() (which stops the strparser via
tls_strp_stop()) and tls_sw_free_ctx_rx() (which kfrees the context),
but never frees the anchor skb that was allocated by alloc_skb(0) in
tls_strp_init().

Note that tls_sw_free_resources_rx() is exclusively used for this
"failed to start offload" code path, there's no other caller.

The leak did not exist before commit 84c61fe1a75b ("tls: rx: do not use
the standard strparser"), because the standard strparser doesn't try
to pre-allocate an skb.

The normal close path in tls_sk_proto_close() handles cleanup by calling
tls_sw_strparser_done() (which calls tls_strp_done()) after dropping
the socket lock, because tls_strp_done() does cancel_work_sync() and
the strparser work handler takes the socket lock.
Published: 2026-06-24
Score: n/a
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is an anchor socket buffer (skb) leak in the Linux kernel TLS offload subsystem. During a failed offload RX setup, the error path cleans most allocated resources, but it fails to free an skb allocated in the string parser initialization. This leak can accumulate over time, potentially exhausting kernel memory or remote areas of the system, and may result in degraded performance or service interruption. The weakness involves improper resource management and falls under the category of memory/resource leaks.

Affected Systems

All Linux kernel builds that incorporate TLS offload functionality prior to the patch that removes the skb allocation in tls_strp_init are affected. The vulnerability is specifically tied to the net: tls: tls_set_device_offload_rx() routine and its error handling path. It affects the generic Linux kernel, as denoted by the CPE entry for Linux kernel releases not containing the fix.

Risk and Exploitability

No public exploits or indicators of exploitation are listed, and the EPSS score is unavailable, indicating no known widespread exploitation activity. The vulnerability does not provide network-exposed code execution, but an attacker who can trigger frequent offload failures could drain system memory over time, causing a denial of service. The risk is considered moderate to high in environments where TLS offload is enabled and the affected kernel version is in use. Since the issue is a memory consumption problem rather than a code execution vector, immediate response is mitigated by a kernel update, but monitoring for abnormal memory usage is prudent.

Generated by OpenCVE AI on June 24, 2026 at 18:47 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Linux kernel to a version that includes the commit that frees the anchor skb in the TLS offload error path
  • If an immediate kernel upgrade is not feasible, disable TLS offload functionality or force TLS to run in software mode to avoid the faulty error path
  • Monitor system memory usage for leaks or abrupt increases and apply additional system hardening such as cgroups to limit memory consumption per process

Generated by OpenCVE AI on June 24, 2026 at 18:47 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 24 Jun 2026 17:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: net: tls: fix strparser anchor skb leak on offload RX setup failure When tls_set_device_offload_rx() fails at tls_dev_add(), the error path calls tls_sw_free_resources_rx() to clean up the SW context that was initialized by tls_set_sw_offload(). This function calls tls_sw_release_resources_rx() (which stops the strparser via tls_strp_stop()) and tls_sw_free_ctx_rx() (which kfrees the context), but never frees the anchor skb that was allocated by alloc_skb(0) in tls_strp_init(). Note that tls_sw_free_resources_rx() is exclusively used for this "failed to start offload" code path, there's no other caller. The leak did not exist before commit 84c61fe1a75b ("tls: rx: do not use the standard strparser"), because the standard strparser doesn't try to pre-allocate an skb. The normal close path in tls_sk_proto_close() handles cleanup by calling tls_sw_strparser_done() (which calls tls_strp_done()) after dropping the socket lock, because tls_strp_done() does cancel_work_sync() and the strparser work handler takes the socket lock.
Title net: tls: fix strparser anchor skb leak on offload RX setup failure
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-06-24T16:28:51.826Z

Reserved: 2026-06-09T07:44:35.375Z

Link: CVE-2026-52974

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-24T21:30:04Z

Weaknesses

No weakness.