Skip to content

In the Linux kernel, the following vulnerability has been...

Unreviewed Published Apr 4, 2024 to the GitHub Advisory Database • Updated Apr 20, 2024

Package

No package listedSuggest a package

Affected versions

Unknown

Patched versions

Unknown

Description

In the Linux kernel, the following vulnerability has been resolved:

tls: fix use-after-free on failed backlog decryption

When the decrypt request goes to the backlog and crypto_aead_decrypt
returns -EBUSY, tls_do_decryption will wait until all async
decryptions have completed. If one of them fails, tls_do_decryption
will return -EBADMSG and tls_decrypt_sg jumps to the error path,
releasing all the pages. But the pages have been passed to the async
callback, and have already been released by tls_decrypt_done.

The only true async case is when crypto_aead_decrypt returns
-EINPROGRESS. With -EBUSY, we already waited so we can tell
tls_sw_recvmsg that the data is available for immediate copy, but we
need to notify tls_decrypt_sg (via the new ->async_done flag) that the
memory has already been released.

References

Published by the National Vulnerability Database Apr 4, 2024
Published to the GitHub Advisory Database Apr 4, 2024
Last updated Apr 20, 2024

Severity

Unknown

EPSS score

0.045%
(17th percentile)

Weaknesses

No CWEs

CVE ID

CVE-2024-26800

GHSA ID

GHSA-q4hp-86wf-hj44

Source code

No known source code

Dependabot alerts are not supported on this advisory because it does not have a package from a supported ecosystem with an affected and fixed version.

Learn more about GitHub language support

Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.