Zero Day MonitorZDM
DashboardVulnerabilitiesTrendingZero-DaysNewsAbout
Login
ImpressumPrivacy Policy
Zero Day Monitor © 2026
4188 articles · 176150 vulns · 36/41 feeds (7d)
← Back to list
9.8
CVE-2026-31533EXPLOITEDPATCHED
linux · linux_kernel

net/tls: fix use-after-free in -EBUSY error path of tls_do_encryption

Description

In the Linux kernel, the following vulnerability has been resolved: net/tls: fix use-after-free in -EBUSY error path of tls_do_encryption The -EBUSY handling in tls_do_encryption(), introduced by commit 859054147318 ("net: tls: handle backlogging of crypto requests"), has a use-after-free due to double cleanup of encrypt_pending and the scatterlist entry. When crypto_aead_encrypt() returns -EBUSY, the request is enqueued to the cryptd backlog and the async callback tls_encrypt_done() will be invoked upon completion. That callback unconditionally restores the scatterlist entry (sge->offset, sge->length) and decrements ctx->encrypt_pending. However, if tls_encrypt_async_wait() returns an error, the synchronous error path in tls_do_encryption() performs the same cleanup again, double-decrementing encrypt_pending and double-restoring the scatterlist. The double-decrement corrupts the encrypt_pending sentinel (initialized to 1), making tls_encrypt_async_wait() permanently skip the wait for pending async callbacks. A subsequent sendmsg can then free the tls_rec via bpf_exec_tx_verdict() while a cryptd callback is still pending, resulting in a use-after-free when the callback fires on the freed record. Fix this by skipping the synchronous cleanup when the -EBUSY async wait returns an error, since the callback has already handled encrypt_pending and sge restoration.

Affected Products

VendorProductVersions
linuxlinux_kernel3ade391adc584f17b5570fd205de3ad029090368, cd1bbca03f3c1d845ce274c0d0a66de8e5929f72, 13eca403876bbea3716e82cdfe6f1e6febb38754, 8590541473188741055d27b955db0777569438e3, 8590541473188741055d27b955db0777569438e3, 8590541473188741055d27b955db0777569438e3, 8590541473188741055d27b955db0777569438e3, ab6397f072e5097f267abf5cb08a8004e6b17694, 5.15.160, 6.1.84, 6.6.18, 6.7.6, 6.8

Also Affects

Downstream vendors/products affected by this vulnerability

VendorProductSourceConfidence
linuxlinuxmitre_affected90%
open sourcelinux kernelcert_advisory90%

References

  • https://git.kernel.org/stable/c/414fc5e5a5aff776c150f1b86770e0a25a35df3a
  • https://git.kernel.org/stable/c/02f3ecadb23558bbe068e6504118f1b712d4ece0
  • https://git.kernel.org/stable/c/0e43e0a3c94044acc74b8e0927c27972eb5a59e8
  • https://git.kernel.org/stable/c/aa9facde6c5005205874c37db3fd25799d741baf
  • https://git.kernel.org/stable/c/5d70eb25b41e9b010828cd12818b06a0c3b04412
  • https://git.kernel.org/stable/c/2694d408b0e595024e0fc1d64ff9db0358580f74
  • https://git.kernel.org/stable/c/a9b8b18364fffce4c451e6f6fd218fa4ab646705

Related News (8 articles)

Tier B
CERT-FR16h ago
Multiples vulnérabilités dans les produits Siemens (15 juillet 2026)
→ No new info (linked only)
Tier B
CERT-FR16d ago
Bulletin d'actualité CERTFR-2026-ACT-028 (29 juin 2026)
→ No new info (linked only)
Tier B
CERT-FR19d ago
Multiples vulnérabilités dans le noyau Linux d'Ubuntu (26 juin 2026)
→ No new info (linked only)
Tier B
CERT-FR40d ago
Multiples vulnérabilités dans le noyau Linux de SUSE (05 juin 2026)
→ No new info (linked only)
Tier A
Microsoft MSRC75d ago
CVE-2026-31533 net/tls: fix use-after-free in -EBUSY error path of tls_do_encryption
→ No new info (linked only)
Tier B
BSI Advisories82d ago
[NEU] [mittel] Linux Kernel: Schwachstelle ermöglicht nicht spezifizierten Angriff
→ No new info (linked only)
Tier C
VulDB82d ago
CVE-2026-31533 | Linux Kernel up to 6.19.12 tls tls_do_encryption use after free
→ No new info (linked only)
Tier C
Linux Kernel CVEs83d ago
CVE-2026-31533: net/tls: fix use-after-free in -EBUSY error path of tls_do_encryption
→ No new info (linked only)
CVSS 3.19.8 CRITICAL
VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CISA KEV❌ No
Actively exploited✅ Yes
Patch available
414fc5e5a5aff776c150f1b86770e0a25a35df3a02f3ecadb23558bbe068e6504118f1b712d4ece00e43e0a3c94044acc74b8e0927c27972eb5a59e8aa9facde6c5005205874c37db3fd25799d741baf5d70eb25b41e9b010828cd12818b06a0c3b044122694d408b0e595024e0fc1d64ff9db0358580f74a9b8b18364fffce4c451e6f6fd218fa4ab64670505.15.2036.1.1696.6.1356.12.826.18.236.19.137.0
PublishedApr 23, 2026
Last enriched82d agov3
Trending Score68
Source articles8
Independent5
Info Completeness8/14
Missing: cvss, epss, cwe, kev, iocs, mitre_attack

Community Vote

0
Login to vote
0 upvotes0 downvotes
No votes yet

Related CVEs (5)

HIGHCVE-2026-31431EXPKEV
crypto: algif_aead - Revert to operating out-of-place
Trending: 145
HIGHCVE-2026-43284EXPKEV
xfrm: esp: avoid in-place decrypt on shared skb frags
Trending: 138
HIGHCVE-2026-46333EXP
ptrace: slightly saner 'get_dumpable()' logic
Trending: 93
HIGHCVE-2026-46300EXP
net: skbuff: preserve shared-frag marker during coalescing
Trending: 81
NONECVE-2026-53359EXP
KVM: x86: Fix shadow paging use-after-free due to unexpected role
Trending: 72

Pin to Dashboard

Verification

State: verified
Confidence: 0%

Vulnerability Timeline

CVE Published
Apr 23, 2026
Discovered by ZDM
Apr 23, 2026
Updated: affectedVersions
Apr 23, 2026
Updated: severity, exploitAvailable, activelyExploited
Apr 24, 2026
Actively Exploited
May 23, 2026
Exploit Available
May 23, 2026
Patch Available
May 23, 2026

Version History

v3
Last enriched 82d ago
v3Tier B82d ago

Updated severity to HIGH and marked the vulnerability as exploit available and actively exploited.

severityexploitAvailableactivelyExploited
via BSI Advisories
v2Tier C82d ago

Updated severity to CRITICAL, added affected version 6.19.12, and corrected exploit availability to false.

affectedVersions
via VulDB
v183d ago

Initial creation