Bug 2401414 (CVE-2025-39946) - CVE-2025-39946 kernel: tls: make sure to abort the stream if headers are bogus
Summary: CVE-2025-39946 kernel: tls: make sure to abort the stream if headers are bogus
Keywords:
Status: NEW
Alias: CVE-2025-39946
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Product Security DevOps Team
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2025-10-04 08:01 UTC by OSIDB Bzimport
Modified: 2025-10-09 18:44 UTC (History)
0 users

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)

Description OSIDB Bzimport 2025-10-04 08:01:49 UTC 
In the Linux kernel, the following vulnerability has been resolved:

tls: make sure to abort the stream if headers are bogus

Normally we wait for the socket to buffer up the whole record
before we service it. If the socket has a tiny buffer, however,
we read out the data sooner, to prevent connection stalls.
Make sure that we abort the connection when we find out late
that the record is actually invalid. Retrying the parsing is
fine in itself but since we copy some more data each time
before we parse we can overflow the allocated skb space.

Constructing a scenario in which we're under pressure without
enough data in the socket to parse the length upfront is quite
hard. syzbot figured out a way to do this by serving us the header
in small OOB sends, and then filling in the recvbuf with a large
normal send.

Make sure that tls_rx_msg_size() aborts strp, if we reach
an invalid record there's really no way to recover.
Comment 1 Jon Moroney 2025-10-06 16:16:26 UTC 
Upstream advisory:
https://lore.kernel.org/linux-cve-announce/2025100419-CVE-2025-39946-5f17@gregkh/T
Note You need to log in before you can comment on or make changes to this bug.