CVE-2024-26800

2024-04-0400:00:00

ubuntu.com

linux

kernel

tls

vulnerability

cve-2024-26800

resolved

decryption

memory

release

AI Score

7.9

Confidence

High

EPSS

Percentile

15.5%

JSON

In the Linux kernel, the following vulnerability has been resolved: tls:
fix use-after-free on failed backlog decryption When the decrypt request
goes to the backlog and crypto_aead_decrypt returns -EBUSY,
tls_do_decryption will wait until all async decryptions have completed. If
one of them fails, tls_do_decryption will return -EBADMSG and
tls_decrypt_sg jumps to the error path, releasing all the pages. But the
pages have been passed to the async callback, and have already been
released by tls_decrypt_done. The only true async case is when
crypto_aead_decrypt returns -EINPROGRESS. With -EBUSY, we already waited so
we can tell tls_sw_recvmsg that the data is available for immediate copy,
but we need to notify tls_decrypt_sg (via the new ->async_done flag) that
the memory has already been released.

Notes

Author	Note
	Priority reason: Reported by Google kCTF

OSVersionArchitecturePackageVersionFilename
ubuntu20.04noarchlinux< anyUNKNOWN
ubuntu22.04noarchlinux< anyUNKNOWN
ubuntu22.04noarchlinux-aws< anyUNKNOWN
ubuntu20.04noarchlinux-aws-5.15< anyUNKNOWN
ubuntu22.04noarchlinux-aws-6.5< anyUNKNOWN
ubuntu20.04noarchlinux-azure< anyUNKNOWN
ubuntu22.04noarchlinux-azure< anyUNKNOWN
ubuntu20.04noarchlinux-azure-5.15< anyUNKNOWN
ubuntu18.04noarchlinux-azure-5.4< anyUNKNOWN
ubuntu22.04noarchlinux-azure-6.5< anyUNKNOWN

OS	Version	Architecture	Package	Version	Filename
ubuntu	20.04	noarch	linux	< any	UNKNOWN
ubuntu	22.04	noarch	linux	< any	UNKNOWN
ubuntu	22.04	noarch	linux-aws	< any	UNKNOWN
ubuntu	20.04	noarch	linux-aws-5.15	< any	UNKNOWN
ubuntu	22.04	noarch	linux-aws-6.5	< any	UNKNOWN
ubuntu	20.04	noarch	linux-azure	< any	UNKNOWN
ubuntu	22.04	noarch	linux-azure	< any	UNKNOWN
ubuntu	20.04	noarch	linux-azure-5.15	< any	UNKNOWN
ubuntu	18.04	noarch	linux-azure-5.4	< any	UNKNOWN
ubuntu	22.04	noarch	linux-azure-6.5	< any	UNKNOWN