CVE-2025-39946

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> tls: make sure to abort the stream if headers are bogus<br /> <br /> Normally we wait for the socket to buffer up the whole record<br /> before we service it. If the socket has a tiny buffer, however,<br /> we read out the data sooner, to prevent connection stalls.<br /> Make sure that we abort the connection when we find out late<br /> that the record is actually invalid. Retrying the parsing is<br /> fine in itself but since we copy some more data each time<br /> before we parse we can overflow the allocated skb space.<br /> <br /> Constructing a scenario in which we&amp;#39;re under pressure without<br /> enough data in the socket to parse the length upfront is quite<br /> hard. syzbot figured out a way to do this by serving us the header<br /> in small OOB sends, and then filling in the recvbuf with a large<br /> normal send.<br /> <br /> Make sure that tls_rx_msg_size() aborts strp, if we reach<br /> an invalid record there&amp;#39;s really no way to recover.