CVE-2026-23414

Advisory lineage Upstream: 0 Downstream: 10

Downstream

DEBIAN-CVE-2026-23414 MGASA-2026-0108 MGASA-2026-0110 OPENSUSE-SU-2026:20572-1 SUSE-SU-2026:1573-1 SUSE-SU-2026:21114-1

Modified

Published: 02 Apr 2026, 11:40

Last modified:23 May 2026, 16:04

Vulnerability Summary

Overall Risk (default)

medium

30/100

CVSS Score

7.5 HIGH

v3.1 (cve.org)

EPSS Score

0.04% LOW

0% probability 0.00%

KEV

Not listed

Ransomware

No reports

Public exploits

None found

Dark Web

Not detected

Timeline

02 Apr 2026, 11:40

Published

Vulnerability first disclosed

23 May 2026, 16:04

Last Modified

Vulnerability information updated

Description

In the Linux kernel, the following vulnerability has been resolved: tls: Purge async_hold in tls_decrypt_async_wait() The async_hold queue pins encrypted input skbs while the AEAD engine references their scatterlist data. Once tls_decrypt_async_wait() returns, every AEAD operation has completed and the engine no longer references those skbs, so they can be freed unconditionally. A subsequent patch adds batch async decryption to tls_sw_read_sock(), introducing a new call site that must drain pending AEAD operations and release held skbs. Move __skb_queue_purge(&ctx->async_hold) into tls_decrypt_async_wait() so the purge is centralized and every caller -- recvmsg's drain path, the -EBUSY fallback in tls_do_decryption(), and the new read_sock batch path -- releases held skbs on synchronization without each site managing the purge independently. This fixes a leak when tls_strp_msg_hold() fails part-way through, after having added some cloned skbs to the async_hold queue. tls_decrypt_sg() will then call tls_decrypt_async_wait() to process all pending decrypts, and drop back to synchronous mode, but tls_sw_recvmsg() only flushes the async_hold queue when one record has been processed in "fully-async" mode, which may not be the case here. [pabeni@redhat.com: added leak comment]

CVSS Metrics

v3.1•MEDIUM•Score: 5.5CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
v3.1•HIGH•Score: 7.5CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

EPSS Trends

Current EPSS score: 0.04%• Percentile: 14%

Techniques & Countermeasures

CWE-401•Missing Release of Memory after Effective Lifetime
The product does not sufficiently track and release allocated memory after it has been used, making the memory unavailable for reallocation and reuse.

Affected Systems

linux•linux
9f83fd0c179e0f458e824e417f9d5ad53443f685 | ≥ 9f83fd0c179e0f458e824e417f9d5ad53443f685, < ac435be7c7613eb13a5a8ceb5182e10b50c9ce87 | ≥ c61d4368197d65c4809d9271f3b85325a600586a, < 2dcf324855c34e7f934ce978aa19b645a8f3ee71 | ≥ 39dec4ea3daf77f684308576baf483b55ca7f160, < 6dc11e0bd0a5466bcc76d275c09e5537bd0597dd | ≥ b8a6ff84abbcbbc445463de58704686011edc8e1, < 9f557c7eae127b44d2e863917dc986a4b6cb1269 | ≥ b8a6ff84abbcbbc445463de58704686011edc8e1, < fd8037e1f18ca5336934d0e0e7e1a4fe097e749d | ≥ b8a6ff84abbcbbc445463de58704686011edc8e1, < 84a8335d8300576f1b377ae24abca1d9f197807f | 4fc109d0ab196bd943b7451276690fb6bb48c2e0 | ≥ 6.1.158, < 6.1.168 | ≥ 6.6.114, < 6.6.131 | ≥ 6.12.55, < 6.12.80 | ≥ 6.17.5, < 6.18 | 6.18
linux•linux_kernel
≥ 6.1.158, < 6.1.168 | ≥ 6.6.114, < 6.6.131 | ≥ 6.12.55, < 6.12.80 | ≥ 6.17.5, < 6.18 | ≥ 6.18.1, < 6.18.21 | ≥ 6.19, < 6.19.11 | 6.18 | 7.0:rc1 | 7.0:rc2 | 7.0:rc3 | 7.0:rc4 | 7.0:rc5 | 7.0:rc6 | 7.0:rc7