CVE-2025-38616

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> tls: handle data disappearing from under the TLS ULP<br /> <br /> TLS expects that it owns the receive queue of the TCP socket.<br /> This cannot be guaranteed in case the reader of the TCP socket<br /> entered before the TLS ULP was installed, or uses some non-standard<br /> read API (eg. zerocopy ones). Replace the WARN_ON() and a buggy<br /> early exit (which leaves anchor pointing to a freed skb) with real<br /> error handling. Wipe the parsing state and tell the reader to retry.<br /> <br /> We already reload the anchor every time we (re)acquire the socket lock,<br /> so the only condition we need to avoid is an out of bounds read<br /> (not having enough bytes in the socket for previously parsed record len).<br /> <br /> If some data was read from under TLS but there&amp;#39;s enough in the queue<br /> we&amp;#39;ll reload and decrypt what is most likely not a valid TLS record.<br /> Leading to some undefined behavior from TLS perspective (corrupting<br /> a stream? missing an alert? missing an attack?) but no kernel crash<br /> should take place.