CVE-2026-31533

Name of the Vulnerable Software and Affected Versions Linux kernel (affected versions not specified)

Description A use-after-free issue exists in the net/tls component. When the crypto aead encrypt() function returns -EBUSY, a request is enqueued to the cryptd backlog. If the tls encrypt async wait() function subsequently returns an error, the synchronous error path in tls do encryption() performs a cleanup of the encrypt pending variable and the scatterlist entry that has already been handled by the tls encrypt done() callback. This double-decrement corrupts the encrypt pending sentinel, causing tls encrypt async wait() to permanently skip waiting for pending async callbacks. Consequently, a subsequent sendmsg operation can free the tls rec via bpf exec tx verdict() while a cryptd callback is still pending, leading to a use-after-free when the callback executes on the freed record.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.