NVD

CVE-2025-38471 Detail

Description

In the Linux kernel, the following vulnerability has been resolved: tls: always refresh the queue when reading sock After recent changes in net-next TCP compacts skbs much more aggressively. This unearthed a bug in TLS where we may try to operate on an old skb when checking if all skbs in the queue have matching decrypt state and geometry. BUG: KASAN: slab-use-after-free in tls_strp_check_rcv+0x898/0x9a0 [tls] (net/tls/tls_strp.c:436 net/tls/tls_strp.c:530 net/tls/tls_strp.c:544) Read of size 4 at addr ffff888013085750 by task tls/13529 CPU: 2 UID: 0 PID: 13529 Comm: tls Not tainted 6.16.0-rc5-virtme Call Trace: kasan_report+0xca/0x100 tls_strp_check_rcv+0x898/0x9a0 [tls] tls_rx_rec_wait+0x2c9/0x8d0 [tls] tls_sw_recvmsg+0x40f/0x1aa0 [tls] inet_recvmsg+0x1c3/0x1f0 Always reload the queue, fast path is to have the record in the queue when we wake, anyway (IOW the path going down "if !strp->stm.full_len").

Metrics

NVD enrichment efforts reference publicly available information to associate vector strings. CVSS information contributed by other sources is also displayed.

CVSS 4.0 Severity and Vector Strings:

NIST: NVD

N/A

NVD assessment not yet provided.

CVSS 3.x Severity and Vector Strings:

NIST: NVD

Base Score: 7.8 HIGH

Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CVSS 2.0 Severity and Vector Strings:

National Institute of Standards and Technology

NIST: NVD

Base Score: N/A

NVD assessment not yet provided.

References to Advisories, Solutions, and Tools

By selecting these links, you will be leaving NIST webspace. We have provided these links to other web sites because they may have information that would be of interest to you. No inferences should be drawn on account of other sites being referenced, or not, from this page. There may be other web sites that are more appropriate for your purpose. NIST does not necessarily endorse the views expressed, or concur with the facts presented on these sites. Further, NIST does not endorse any commercial products that may be mentioned on these sites. Please address comments about this page to [email protected].

URL	Source(s)	Tag(s)
https://git.kernel.org/stable/c/1f3a429c21e0e43e8b8c55d30701e91411a4df02	kernel.org	Patch
https://git.kernel.org/stable/c/4ab26bce3969f8fd925fe6f6f551e4d1a508c68b	kernel.org	Patch
https://git.kernel.org/stable/c/730fed2ff5e259495712518e18d9f521f61972bb	kernel.org	Patch
https://git.kernel.org/stable/c/c76f6f437c46b2390888e0e1dc7aafafa9f4e0c6	kernel.org	Patch
https://git.kernel.org/stable/c/cdb767915fc9a15d88d19d52a1455f1dc3e5ddc8	kernel.org	Patch
https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html	CVE	Third Party Advisory

Weakness Enumeration

CWE-ID	CWE Name	Source
CWE-416	Use After Free	NIST

Known Affected Software Configurations Switch to CPE 2.2

CPEs loading, please wait.

Denotes Vulnerable Software
Are we missing a CPE here? Please let us know.

Change History

3 change records found show changes

Initial Analysis by NIST 12/22/2025 2:34:36 PM

Action	Type	New Value
Added	CVSS V3.1	AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Added	CWE	CWE-416
Added	CPE Configuration	OR cpe:2.3:o:debian:debian_linux:11.0:::::::
Added	CPE Configuration	OR cpe:2.3:o:linux:linux_kernel:6.1:rc2::::::* cpe:2.3:o:linux:linux_kernel:6.1:rc5::::::* cpe:2.3:o:linux:linux_kernel:6.1:rc3::::::* cpe:2.3:o:linux:linux_kernel:6.1:rc4::::::* cpe:2.3:o:linux:linux_kernel:6.1:rc6::::::* cpe:2.3:o:linux:linux_kernel:6.1:rc7::::::* cpe:2.3:o:linux:linux_kernel:6.1:rc8::::::* cpe:2.3:o:linux:linux_kernel:6.1:-::::::* cpe:2.3:o:linux:linux_kernel:6.16:rc1::::::* cpe:2.3:o:linux:linux_kernel:6.16:rc2::::::* cpe:2.3:o:linux:linux_kernel:6.16:rc3::::::* cpe:2.3:o:linux:linux_kernel:6.16:rc4::::::* cpe:2.3:o:linux:linux_kernel:6.16:rc5::::::* cpe:2.3:o:linux:linux_kernel::::::::* versions from (including) 6.13 up to (excluding) 6.15.8 cpe:2.3:o:linux:linux_kernel::::::::* versions from (including) 6.7 up to (excluding) 6.12.40 cpe:2.3:o:linux:linux_kernel:6.16:rc6::::::* cpe:2.3:o:linux:linux_kernel::::::::* versions from (including) 6.2 up to (excluding) 6.6.100 cpe:2.3:o:linux:linux_kernel::::::::* versions from (including) 6.0.6 up to (excluding) 6.1 cpe:2.3:o:linux:linux_kernel::::::::* versions from (including) 6.1.1 up to (excluding) 6.1.147
Added	Reference Type	CVE: https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html Types: Third Party Advisory
Added	Reference Type	kernel.org: https://git.kernel.org/stable/c/1f3a429c21e0e43e8b8c55d30701e91411a4df02 Types: Patch
Added	Reference Type	kernel.org: https://git.kernel.org/stable/c/4ab26bce3969f8fd925fe6f6f551e4d1a508c68b Types: Patch
Added	Reference Type	kernel.org: https://git.kernel.org/stable/c/730fed2ff5e259495712518e18d9f521f61972bb Types: Patch
Added	Reference Type	kernel.org: https://git.kernel.org/stable/c/c76f6f437c46b2390888e0e1dc7aafafa9f4e0c6 Types: Patch
Added	Reference Type	kernel.org: https://git.kernel.org/stable/c/cdb767915fc9a15d88d19d52a1455f1dc3e5ddc8 Types: Patch

New CVE Received from kernel.org 7/28/2025 8:15:28 AM

Action	Type	New Value
Added	Description	In the Linux kernel, the following vulnerability has been resolved: tls: always refresh the queue when reading sock After recent changes in net-next TCP compacts skbs much more aggressively. This unearthed a bug in TLS where we may try to operate on an old skb when checking if all skbs in the queue have matching decrypt state and geometry. BUG: KASAN: slab-use-after-free in tls_strp_check_rcv+0x898/0x9a0 [tls] (net/tls/tls_strp.c:436 net/tls/tls_strp.c:530 net/tls/tls_strp.c:544) Read of size 4 at addr ffff888013085750 by task tls/13529 CPU: 2 UID: 0 PID: 13529 Comm: tls Not tainted 6.16.0-rc5-virtme Call Trace: kasan_report+0xca/0x100 tls_strp_check_rcv+0x898/0x9a0 [tls] tls_rx_rec_wait+0x2c9/0x8d0 [tls] tls_sw_recvmsg+0x40f/0x1aa0 [tls] inet_recvmsg+0x1c3/0x1f0 Always reload the queue, fast path is to have the record in the queue when we wake, anyway (IOW the path going down "if !strp->stm.full_len").
Added	Reference	https://git.kernel.org/stable/c/1f3a429c21e0e43e8b8c55d30701e91411a4df02
Added	Reference	https://git.kernel.org/stable/c/4ab26bce3969f8fd925fe6f6f551e4d1a508c68b
Added	Reference	https://git.kernel.org/stable/c/730fed2ff5e259495712518e18d9f521f61972bb
Added	Reference	https://git.kernel.org/stable/c/c76f6f437c46b2390888e0e1dc7aafafa9f4e0c6
Added	Reference	https://git.kernel.org/stable/c/cdb767915fc9a15d88d19d52a1455f1dc3e5ddc8

Quick Info

CVE Dictionary Entry:
CVE-2025-38471
NVD Published Date:
07/28/2025
NVD Last Modified:
12/22/2025
Source:
kernel.org

You are viewing this page in an unauthorized frame window.

Information Technology Laboratory

National Vulnerability Database

National Vulnerability Database

CVE-2025-38471 Detail

Description

Metrics

References to Advisories, Solutions, and Tools

Weakness Enumeration

Known Affected Software Configurations Switch to CPE 2.2

CPEs loading, please wait.

Change History

Initial Analysis by NIST 12/22/2025 2:34:36 PM

CVE Modified by CVE 11/03/2025 1:16:22 PM

New CVE Received from kernel.org 7/28/2025 8:15:28 AM

Quick Info