1.4 KiB
CVE-2025-38018
Description
In the Linux kernel, the following vulnerability has been resolved:net/tls: fix kernel panic when alloc_page failedWe cannot set frag_list to NULL pointer when alloc_page failed.It will be used in tls_strp_check_queue_ok when the next timetls_strp_read_sock is called.This is because we don't reset full_len in tls_strp_flush_anchor_copy()so the recv path will try to continue handling the partial recordon the next call but we dettached the rcvq from the frag list.Alternative fix would be to reset full_len.Unable to handle kernel NULL pointer dereferenceat virtual address 0000000000000028 Call trace: tls_strp_check_rcv+0x128/0x27c tls_strp_data_ready+0x34/0x44 tls_data_ready+0x3c/0x1f0 tcp_data_ready+0x9c/0xe4 tcp_data_queue+0xf6c/0x12d0 tcp_rcv_established+0x52c/0x798
POC
Reference
No PoCs from references.