CVE-2026-52974

In the Linux kernel, the following vulnerability has been resolved:

net: tls: fix strparser anchor skb leak on offload RX setup failure

When tls set device offload rx() fails at tls dev add(), the error path calls tls sw free resources rx() to clean up the SW context that was initialized by tls set sw offload(). This function calls tls sw release resources rx() (which stops the strparser via tls strp stop()) and tls sw free ctx rx() (which kfrees the context), but never frees the anchor skb that was allocated by alloc skb(0) in tls strp init().

Note that tls sw free resources rx() is exclusively used for this "failed to start offload" code path, there's no other caller.

The leak did not exist before commit 84c61fe1a75b ("tls: rx: do not use the standard strparser"), because the standard strparser doesn't try to pre-allocate an skb.

The normal close path in tls sk proto close() handles cleanup by calling tls sw strparser done() (which calls tls strp done()) after dropping the socket lock, because tls strp done() does cancel work sync() and the strparser work handler takes the socket lock.