CVE-2024-26800

Name of the Vulnerable Software and Affected Versions Linux kernel (affected versions not specified)

Description The issue is related to a use-after-free vulnerability in the Linux kernel's TLS implementation. When the decrypt request goes to the backlog and crypto aead decrypt returns -EBUSY, tls do decryption will wait until all async decryptions have completed. If one of them fails, tls do decryption will return -EBADMSG and tls decrypt sg jumps to the error path, releasing all the pages. However, the pages have been passed to the async callback and have already been released by tls decrypt done. The only true async case is when crypto aead decrypt returns -EINPROGRESS. With -EBUSY, the kernel has already waited, so it can tell tls sw recvmsg that the data is available for immediate copy, but it needs to notify tls decrypt sg (via the new ->async done flag) that the memory has already been released.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.