CVE-2023-52767

Source
https://nvd.nist.gov/vuln/detail/CVE-2023-52767
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-52767.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2023-52767
Downstream
Related
Published
2024-05-21T16:15:15Z
Modified
2025-08-09T19:01:27Z
Severity
  • 5.5 (Medium) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
Summary
[none]
Details

In the Linux kernel, the following vulnerability has been resolved:

tls: fix NULL deref on tlsswsplice_eof() with empty record

syzkaller discovered that if tlsswspliceeof() is executed as part of sendfile() when the plaintext/ciphertext skmsg are empty, the send path gets confused because the empty ciphertext buffer does not have enough space for the encryption overhead. This causes tlspushrecord() to go on the split = true path (which is only supposed to be used when interacting with an attached BPF program), and then get further confused and hit the tlsmergeopen_record() path, which then assumes that there must be at least one populated buffer element, leading to a NULL deref.

It is possible to have empty plaintext/ciphertext buffers if we previously bailed from tlsswsendmsglocked() via the tlstrimbothmsgs() path. tlsswpushpendingrecord() already handles this case correctly; let's do the same check in tlsswsplice_eof().

References

Affected packages