CVE-2026-52974
Received Received - Intake
BaseFortify

Publication date: 2026-06-24

Last updated on: 2026-06-24

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: net: tls: fix strparser anchor skb leak on offload RX setup failure When tls_set_device_offload_rx() fails at tls_dev_add(), the error path calls tls_sw_free_resources_rx() to clean up the SW context that was initialized by tls_set_sw_offload(). This function calls tls_sw_release_resources_rx() (which stops the strparser via tls_strp_stop()) and tls_sw_free_ctx_rx() (which kfrees the context), but never frees the anchor skb that was allocated by alloc_skb(0) in tls_strp_init(). Note that tls_sw_free_resources_rx() is exclusively used for this "failed to start offload" code path, there's no other caller. The leak did not exist before commit 84c61fe1a75b ("tls: rx: do not use the standard strparser"), because the standard strparser doesn't try to pre-allocate an skb. The normal close path in tls_sk_proto_close() handles cleanup by calling tls_sw_strparser_done() (which calls tls_strp_done()) after dropping the socket lock, because tls_strp_done() does cancel_work_sync() and the strparser work handler takes the socket lock.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-24
Last Modified
2026-06-24
Generated
2026-06-25
AI Q&A
2026-06-24
EPSS Evaluated
N/A
NVD
CVE-2026-52974
EUVD
EUVD-2026-38842
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
linux linux_kernel *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is a memory leak in the Linux kernel's TLS (Transport Layer Security) offload receive (RX) setup process. Specifically, when the function tls_set_device_offload_rx() fails during tls_dev_add(), the cleanup function tls_sw_free_resources_rx() is called to free software context resources. However, this cleanup function does not free an allocated anchor socket buffer (skb) that was created earlier by tls_strp_init(). This results in a leak of the anchor skb memory.

The leak occurs only in the error path when starting offload fails and is related to changes made after a specific commit that altered how the strparser works. The normal socket close path properly frees resources, but this particular error cleanup path misses freeing the anchor skb.

Impact Analysis

This vulnerability can lead to a memory leak in the Linux kernel when TLS offload receive setup fails. Over time, repeated failures could cause increased memory consumption, potentially degrading system performance or leading to resource exhaustion.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-52974. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart