CVE-2025-39946
Unknown Unknown - Not Provided

BaseFortify

Vulnerability report for CVE-2025-39946, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2025-10-04

Last updated on: 2026-04-06

Assigner: kernel.org

Description

In the Linux kernel, the following vulnerability has been resolved: tls: make sure to abort the stream if headers are bogus Normally we wait for the socket to buffer up the whole record before we service it. If the socket has a tiny buffer, however, we read out the data sooner, to prevent connection stalls. Make sure that we abort the connection when we find out late that the record is actually invalid. Retrying the parsing is fine in itself but since we copy some more data each time before we parse we can overflow the allocated skb space. Constructing a scenario in which we're under pressure without enough data in the socket to parse the length upfront is quite hard. syzbot figured out a way to do this by serving us the header in small OOB sends, and then filling in the recvbuf with a large normal send. Make sure that tls_rx_msg_size() aborts strp, if we reach an invalid record there's really no way to recover.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2025-10-04
Last Modified
2026-04-06
Generated
2026-07-06
AI Q&A
2025-10-04
EPSS Evaluated
2026-07-05
NVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
linux linux_kernel From 5.15.160 (inc) to 5.16 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability in the Linux kernel's TLS implementation involves improper handling of TLS record headers when the socket buffer is very small. Normally, the system waits to buffer the entire TLS record before processing it, but with a tiny socket buffer, data is read earlier to avoid connection stalls. If the TLS record header is invalid and discovered late, the system previously tried to retry parsing, copying more data each time, which could overflow the allocated socket buffer space (skb). The fix ensures that the connection is aborted immediately upon detecting an invalid TLS record, preventing buffer overflow and potential instability.

Impact Analysis

This vulnerability can lead to a buffer overflow in the Linux kernel's TLS processing, which may cause connection instability or crashes. An attacker could exploit this by sending specially crafted TLS records in small out-of-band segments to trigger the overflow, potentially leading to denial of service or other unpredictable behavior in systems relying on the affected Linux kernel TLS implementation.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-39946. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart