CVE-2023-52767
- Source
- https://nvd.nist.gov/vuln/detail/CVE-2023-52767
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-52767.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2023-52767
- Downstream
- Related
- Published
- 2024-05-21T16:15:15Z
- Modified
- 2025-08-09T19:01:27Z
- Severity
-
- 5.5 (Medium) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
- Summary
- [none]
- Details
-
In the Linux kernel, the following vulnerability has been resolved:
tls: fix NULL deref on tlsswsplice_eof() with empty record
syzkaller discovered that if tlsswspliceeof() is executed as part of sendfile() when the plaintext/ciphertext skmsg are empty, the send path gets confused because the empty ciphertext buffer does not have enough space for the encryption overhead. This causes tlspushrecord() to go on the
split = truepath (which is only supposed to be used when interacting with an attached BPF program), and then get further confused and hit the tlsmergeopen_record() path, which then assumes that there must be at least one populated buffer element, leading to a NULL deref.It is possible to have empty plaintext/ciphertext buffers if we previously bailed from tlsswsendmsglocked() via the tlstrimbothmsgs() path. tlsswpushpendingrecord() already handles this case correctly; let's do the same check in tlsswsplice_eof().
- References