{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-31533", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2026-03-09T15:48:24.113Z", "datePublished": "2026-04-23T15:11:06.955Z", "dateUpdated": "2026-04-23T15:11:06.955Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2026-04-23T15:11:06.955Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/tls: fix use-after-free in -EBUSY error path of tls_do_encryption\n\nThe -EBUSY handling in tls_do_encryption(), introduced by commit\n859054147318 (\"net: tls: handle backlogging of crypto requests\"), has\na use-after-free due to double cleanup of encrypt_pending and the\nscatterlist entry.\n\nWhen crypto_aead_encrypt() returns -EBUSY, the request is enqueued to\nthe cryptd backlog and the async callback tls_encrypt_done() will be\ninvoked upon completion. That callback unconditionally restores the\nscatterlist entry (sge->offset, sge->length) and decrements\nctx->encrypt_pending. However, if tls_encrypt_async_wait() returns an\nerror, the synchronous error path in tls_do_encryption() performs the\nsame cleanup again, double-decrementing encrypt_pending and\ndouble-restoring the scatterlist.\n\nThe double-decrement corrupts the encrypt_pending sentinel (initialized\nto 1), making tls_encrypt_async_wait() permanently skip the wait for\npending async callbacks. A subsequent sendmsg can then free the\ntls_rec via bpf_exec_tx_verdict() while a cryptd callback is still\npending, resulting in a use-after-free when the callback fires on the\nfreed record.\n\nFix this by skipping the synchronous cleanup when the -EBUSY async\nwait returns an error, since the callback has already handled\nencrypt_pending and sge restoration."}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["net/tls/tls_sw.c"], "versions": [{"version": "3ade391adc584f17b5570fd205de3ad029090368", "lessThan": "414fc5e5a5aff776c150f1b86770e0a25a35df3a", "status": "affected", "versionType": "git"}, {"version": "cd1bbca03f3c1d845ce274c0d0a66de8e5929f72", "lessThan": "02f3ecadb23558bbe068e6504118f1b712d4ece0", "status": "affected", "versionType": "git"}, {"version": "13eca403876bbea3716e82cdfe6f1e6febb38754", "lessThan": "0e43e0a3c94044acc74b8e0927c27972eb5a59e8", "status": "affected", "versionType": "git"}, {"version": "8590541473188741055d27b955db0777569438e3", "lessThan": "aa9facde6c5005205874c37db3fd25799d741baf", "status": "affected", "versionType": "git"}, {"version": "8590541473188741055d27b955db0777569438e3", "lessThan": "5d70eb25b41e9b010828cd12818b06a0c3b04412", "status": "affected", "versionType": "git"}, {"version": "8590541473188741055d27b955db0777569438e3", "lessThan": "2694d408b0e595024e0fc1d64ff9db0358580f74", "status": "affected", "versionType": "git"}, {"version": "8590541473188741055d27b955db0777569438e3", "lessThan": "a9b8b18364fffce4c451e6f6fd218fa4ab646705", "status": "affected", "versionType": "git"}, {"version": "ab6397f072e5097f267abf5cb08a8004e6b17694", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["net/tls/tls_sw.c"], "versions": [{"version": "6.8", "status": "affected"}, {"version": "0", "lessThan": "6.8", "status": "unaffected", "versionType": "semver"}, {"version": "5.15.203", "lessThanOrEqual": "5.15.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.1.169", "lessThanOrEqual": "6.1.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.6.135", "lessThanOrEqual": "6.6.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.12.82", "lessThanOrEqual": "6.12.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.18.23", "lessThanOrEqual": "6.18.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.19.13", "lessThanOrEqual": "6.19.*", "status": "unaffected", "versionType": "semver"}, {"version": "7.0", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.15.160", "versionEndExcluding": "5.15.203"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.1.84", "versionEndExcluding": "6.1.169"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.6.18", "versionEndExcluding": "6.6.135"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.8", "versionEndExcluding": "6.12.82"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.8", "versionEndExcluding": "6.18.23"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.8", "versionEndExcluding": "6.19.13"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.8", "versionEndExcluding": "7.0"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.7.6"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/414fc5e5a5aff776c150f1b86770e0a25a35df3a"}, {"url": "https://git.kernel.org/stable/c/02f3ecadb23558bbe068e6504118f1b712d4ece0"}, {"url": "https://git.kernel.org/stable/c/0e43e0a3c94044acc74b8e0927c27972eb5a59e8"}, {"url": "https://git.kernel.org/stable/c/aa9facde6c5005205874c37db3fd25799d741baf"}, {"url": "https://git.kernel.org/stable/c/5d70eb25b41e9b010828cd12818b06a0c3b04412"}, {"url": "https://git.kernel.org/stable/c/2694d408b0e595024e0fc1d64ff9db0358580f74"}, {"url": "https://git.kernel.org/stable/c/a9b8b18364fffce4c451e6f6fd218fa4ab646705"}], "title": "net/tls: fix use-after-free in -EBUSY error path of tls_do_encryption", "x_generator": {"engine": "bippy-1.2.0"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/tls: fix use-after-free in -EBUSY error path of tls_do_encryption\n\nThe -EBUSY handling in tls_do_encryption(), introduced by commit\n859054147318 (\"net: tls: handle backlogging of crypto requests\"), has\na use-after-free due to double cleanup of encrypt_pending and the\nscatterlist entry.\n\nWhen crypto_aead_encrypt() returns -EBUSY, the request is enqueued to\nthe cryptd backlog and the async callback tls_encrypt_done() will be\ninvoked upon completion. That callback unconditionally restores the\nscatterlist entry (sge->offset, sge->length) and decrements\nctx->encrypt_pending. However, if tls_encrypt_async_wait() returns an\nerror, the synchronous error path in tls_do_encryption() performs the\nsame cleanup again, double-decrementing encrypt_pending and\ndouble-restoring the scatterlist.\n\nThe double-decrement corrupts the encrypt_pending sentinel (initialized\nto 1), making tls_encrypt_async_wait() permanently skip the wait for\npending async callbacks. A subsequent sendmsg can then free the\ntls_rec via bpf_exec_tx_verdict() while a cryptd callback is still\npending, resulting in a use-after-free when the callback fires on the\nfreed record.\n\nFix this by skipping the synchronous cleanup when the -EBUSY async\nwait returns an error, since the callback has already handled\nencrypt_pending and sge restoration."}], "id": "CVE-2026-31533", "lastModified": "2026-04-23T18:16:26.857", "metrics": {}, "published": "2026-04-23T18:16:26.857", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/02f3ecadb23558bbe068e6504118f1b712d4ece0"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/0e43e0a3c94044acc74b8e0927c27972eb5a59e8"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/2694d408b0e595024e0fc1d64ff9db0358580f74"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/414fc5e5a5aff776c150f1b86770e0a25a35df3a"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/5d70eb25b41e9b010828cd12818b06a0c3b04412"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/a9b8b18364fffce4c451e6f6fd218fa4ab646705"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/aa9facde6c5005205874c37db3fd25799d741baf"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Received"}

{}

{}