| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <2025111255-CVE-2025-40176-f2e3@gregkh> Date: Wed, 12 Nov 2025 05:53:59 -0500 From: Greg Kroah-Hartman <gregkh@...uxfoundation.org> To: linux-cve-announce@...r.kernel.org Cc: Greg Kroah-Hartman <gregkh@...nel.org> Subject: CVE-2025-40176: tls: wait for pending async decryptions if tls_strp_msg_hold fails From: Greg Kroah-Hartman <gregkh@...nel.org> Description =========== In the Linux kernel, the following vulnerability has been resolved: tls: wait for pending async decryptions if tls_strp_msg_hold fails Async decryption calls tls_strp_msg_hold to create a clone of the input skb to hold references to the memory it uses. If we fail to allocate that clone, proceeding with async decryption can lead to various issues (UAF on the skb, writing into userspace memory after the recv() call has returned). In this case, wait for all pending decryption requests. The Linux kernel CVE team has assigned CVE-2025-40176 to this issue. Affected and fixed versions =========================== Issue introduced in 6.0 with commit 84c61fe1a75b4255df1e1e7c054c9e6d048da417 and fixed in 6.1.158 with commit 9f83fd0c179e0f458e824e417f9d5ad53443f685 Issue introduced in 6.0 with commit 84c61fe1a75b4255df1e1e7c054c9e6d048da417 and fixed in 6.6.114 with commit c61d4368197d65c4809d9271f3b85325a600586a Issue introduced in 6.0 with commit 84c61fe1a75b4255df1e1e7c054c9e6d048da417 and fixed in 6.12.55 with commit 39dec4ea3daf77f684308576baf483b55ca7f160 Issue introduced in 6.0 with commit 84c61fe1a75b4255df1e1e7c054c9e6d048da417 and fixed in 6.17.5 with commit 4fc109d0ab196bd943b7451276690fb6bb48c2e0 Issue introduced in 6.0 with commit 84c61fe1a75b4255df1e1e7c054c9e6d048da417 and fixed in 6.18-rc2 with commit b8a6ff84abbcbbc445463de58704686011edc8e1 Please see https://www.kernel.org for a full list of currently supported kernel versions by the kernel community. Unaffected versions might change over time as fixes are backported to older supported kernel versions. The official CVE entry at https://cve.org/CVERecord/?id=CVE-2025-40176 will be updated if fixes are backported, please check that for the most up to date information about this issue. Affected files ============== The file(s) affected by this issue are: net/tls/tls_sw.c Mitigation ========== The Linux kernel CVE team recommends that you update to the latest stable kernel version for this, and many other bugfixes. Individual changes are never tested alone, but rather are part of a larger kernel release. Cherry-picking individual commits is not recommended or supported by the Linux kernel community at all. If however, updating to the latest release is impossible, the individual changes to resolve this issue can be found at these commits: https://git.kernel.org/stable/c/9f83fd0c179e0f458e824e417f9d5ad53443f685 https://git.kernel.org/stable/c/c61d4368197d65c4809d9271f3b85325a600586a https://git.kernel.org/stable/c/39dec4ea3daf77f684308576baf483b55ca7f160 https://git.kernel.org/stable/c/4fc109d0ab196bd943b7451276690fb6bb48c2e0 https://git.kernel.org/stable/c/b8a6ff84abbcbbc445463de58704686011edc8e1
Powered by blists - more mailing lists