CVE-2025-39946
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-10-04

Last updated on: 2026-04-06

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: tls: make sure to abort the stream if headers are bogus Normally we wait for the socket to buffer up the whole record before we service it. If the socket has a tiny buffer, however, we read out the data sooner, to prevent connection stalls. Make sure that we abort the connection when we find out late that the record is actually invalid. Retrying the parsing is fine in itself but since we copy some more data each time before we parse we can overflow the allocated skb space. Constructing a scenario in which we're under pressure without enough data in the socket to parse the length upfront is quite hard. syzbot figured out a way to do this by serving us the header in small OOB sends, and then filling in the recvbuf with a large normal send. Make sure that tls_rx_msg_size() aborts strp, if we reach an invalid record there's really no way to recover.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-10-04
Last Modified
2026-04-06
Generated
2026-05-07
AI Q&A
2025-10-04
EPSS Evaluated
2026-05-05
NVD
CVE-2025-39946
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
linux linux_kernel From 5.15.160 (inc) to 5.16 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability in the Linux kernel's TLS implementation involves improper handling of TLS record headers when the socket buffer is very small. Normally, the system waits to buffer the entire TLS record before processing it, but with a tiny socket buffer, data is read earlier to avoid connection stalls. If the TLS record header is invalid and discovered late, the system previously tried to retry parsing, copying more data each time, which could overflow the allocated socket buffer space (skb). The fix ensures that the connection is aborted immediately upon detecting an invalid TLS record, preventing buffer overflow and potential instability.


How can this vulnerability impact me? :

This vulnerability can lead to a buffer overflow in the Linux kernel's TLS processing, which may cause connection instability or crashes. An attacker could exploit this by sending specially crafted TLS records in small out-of-band segments to trigger the overflow, potentially leading to denial of service or other unpredictable behavior in systems relying on the affected Linux kernel TLS implementation.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart