// For flags

CVE-2024-26582

net: tls: fix use-after-free with partial reads and async decrypt

Severity Score

7.8
*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

0
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

Track*
*SSVC
Descriptions

In the Linux kernel, the following vulnerability has been resolved:

net: tls: fix use-after-free with partial reads and async decrypt

tls_decrypt_sg doesn't take a reference on the pages from clear_skb,
so the put_page() in tls_decrypt_done releases them, and we trigger
a use-after-free in process_rx_list when we try to read from the
partially-read skb.

En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: net: tls: corrige el use-after-free con lecturas parciales y descifrado asíncrono tls_decrypt_sg no toma una referencia en las páginas de clear_skb, por lo que put_page() en tls_decrypt_done las libera y activamos un use-after-free en Process_rx_list cuando intentamos leer desde el skb parcialmente leído.

A use-after-free vulnerability was found in the tls subsystem of the Linux kernel. The tls_decrypt_sg() function doesn't take references on the pages from clear_skb, so the put_page() in tls_decrypt_done() releases them and a use-after-free can be triggered in process_rx_list when trying to read from the partially-read skb. This issue could lead to a denial of service condition or code execution.

*Credits: N/A
CVSS Scores
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High
Attack Vector
Local
Attack Complexity
High
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
High
* Common Vulnerability Scoring System
SSVC
  • Decision:Track*
Exploitation
None
Automatable
No
Tech. Impact
Total
* Organization's Worst-case Scenario
Timeline
  • 2024-02-19 CVE Reserved
  • 2024-02-21 CVE Published
  • 2024-03-16 EPSS Updated
  • 2024-12-19 CVE Updated
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
  • ---------- First Exploit
CWE
  • CWE-416: Use After Free
CAPEC
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Linux
Search vendor "Linux"
Linux Kernel
Search vendor "Linux" for product "Linux Kernel"
>= 6.0 < 6.1.79
Search vendor "Linux" for product "Linux Kernel" and version " >= 6.0 < 6.1.79"
en
Affected
Linux
Search vendor "Linux"
Linux Kernel
Search vendor "Linux" for product "Linux Kernel"
>= 6.0 < 6.6.18
Search vendor "Linux" for product "Linux Kernel" and version " >= 6.0 < 6.6.18"
en
Affected
Linux
Search vendor "Linux"
Linux Kernel
Search vendor "Linux" for product "Linux Kernel"
>= 6.0 < 6.7.6
Search vendor "Linux" for product "Linux Kernel" and version " >= 6.0 < 6.7.6"
en
Affected
Linux
Search vendor "Linux"
Linux Kernel
Search vendor "Linux" for product "Linux Kernel"
>= 6.0 < 6.8
Search vendor "Linux" for product "Linux Kernel" and version " >= 6.0 < 6.8"
en
Affected