Bug 2389471 (CVE-2025-38608)

Summary: CVE-2025-38608 kernel: Linux kernel kTLS: Denial of Service from uninitialized data transmission
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security DevOps Team <prodsec-dev>
Status: NEW --- QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedKeywords: Security
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
A flaw was found in the Linux kernel's kernel Transport Layer Security (kTLS) component. When plaintext data length is reduced through socket policy, the system fails to correctly recalculate the ciphertext length. This can lead to the transmission of uninitialized data appended to Transport Layer Security (TLS) records, causing errors and potentially a Denial of Service (DoS) on the receiving end.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description OSIDB Bzimport 2025-08-19 18:02:31 UTC 
In the Linux kernel, the following vulnerability has been resolved:

bpf, ktls: Fix data corruption when using bpf_msg_pop_data() in ktls

When sending plaintext data, we initially calculated the corresponding
ciphertext length. However, if we later reduced the plaintext data length
via socket policy, we failed to recalculate the ciphertext length.

This results in transmitting buffers containing uninitialized data during
ciphertext transmission.

This causes uninitialized bytes to be appended after a complete
"Application Data" packet, leading to errors on the receiving end when
parsing TLS record.
Comment 1 Alexander B 2025-08-20 08:48:55 UTC 
Upstream advisory:
https://lore.kernel.org/linux-cve-announce/2025081923-CVE-2025-38608-e829@gregkh/T