CVE-2025-38018
Severity CVSS v4.0:
Pending analysis
Type:
Unavailable / Other
Publication date:
18/06/2025
Last modified:
18/06/2025
Description
In the Linux kernel, the following vulnerability has been resolved:<br />
<br />
net/tls: fix kernel panic when alloc_page failed<br />
<br />
We cannot set frag_list to NULL pointer when alloc_page failed.<br />
It will be used in tls_strp_check_queue_ok when the next time<br />
tls_strp_read_sock is called.<br />
<br />
This is because we don&#39;t reset full_len in tls_strp_flush_anchor_copy()<br />
so the recv path will try to continue handling the partial record<br />
on the next call but we dettached the rcvq from the frag list.<br />
Alternative fix would be to reset full_len.<br />
<br />
Unable to handle kernel NULL pointer dereference<br />
at virtual address 0000000000000028<br />
Call trace:<br />
tls_strp_check_rcv+0x128/0x27c<br />
tls_strp_data_ready+0x34/0x44<br />
tls_data_ready+0x3c/0x1f0<br />
tcp_data_ready+0x9c/0xe4<br />
tcp_data_queue+0xf6c/0x12d0<br />
tcp_rcv_established+0x52c/0x798
Impact
References to Advisories, Solutions, and Tools
- https://git.kernel.org/stable/c/406d05da26835943568e61bb751c569efae071d4
- https://git.kernel.org/stable/c/491deb9b8c4ad12fe51d554a69b8165b9ef9429f
- https://git.kernel.org/stable/c/5f1f833cb388592bb46104463a1ec1b7c41975b6
- https://git.kernel.org/stable/c/8f7f96549bc55e4ef3a6b499bc5011e5de2f46c4
- https://git.kernel.org/stable/c/a11b8c0be6acd0505a58ff40d474bd778b25b93a