CVE-2026-52974

Source
https://cve.org/CVERecord?id=CVE-2026-52974
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-52974.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-52974
Downstream
Published
2026-06-24T16:28:51.826Z
Modified
2026-07-12T03:55:03.933216132Z
Severity
  • 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
Summary
net: tls: fix strparser anchor skb leak on offload RX setup failure
Details

In the Linux kernel, the following vulnerability has been resolved:

net: tls: fix strparser anchor skb leak on offload RX setup failure

When tlssetdeviceoffloadrx() fails at tlsdevadd(), the error path calls tlsswfreeresourcesrx() to clean up the SW context that was initialized by tlssetswoffload(). This function calls tlsswreleaseresourcesrx() (which stops the strparser via tlsstrpstop()) and tlsswfreectxrx() (which kfrees the context), but never frees the anchor skb that was allocated by allocskb(0) in tlsstrpinit().

Note that tlsswfreeresourcesrx() is exclusively used for this "failed to start offload" code path, there's no other caller.

The leak did not exist before commit 84c61fe1a75b ("tls: rx: do not use the standard strparser"), because the standard strparser doesn't try to pre-allocate an skb.

The normal close path in tlsskprotoclose() handles cleanup by calling tlsswstrparserdone() (which calls tlsstrpdone()) after dropping the socket lock, because tlsstrpdone() does cancelworksync() and the strparser work handler takes the socket lock.

Database specific
{
    "cna_assigner": "Linux",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/52xxx/CVE-2026-52974.json"
}
References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
84c61fe1a75b4255df1e1e7c054c9e6d048da417
Fixed
0c9f399b37ce22a5ed94cc51f03ed07ac7f38e32
Fixed
688f12aa44511dd57e448eb670075c6302ad1dc1
Fixed
3c405dfa9619e506e75b8e41f8b29a5b99731877
Fixed
9c54e76f8d6eb11735918777ef0e0509e089557d
Fixed
bd07fe6c38b9e44ff3fc02692a53f095c5cc9afc
Fixed
58689498ca3384851145a754dbb1d8ed1cf9fb54

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-52974.json"

Linux / Kernel

Package

Name
Kernel

Affected ranges

Type
ECOSYSTEM
Events
Introduced
6.0.0
Fixed
6.1.175
Type
ECOSYSTEM
Events
Introduced
6.2.0
Fixed
6.6.141
Type
ECOSYSTEM
Events
Introduced
6.7.0
Fixed
6.12.91
Type
ECOSYSTEM
Events
Introduced
6.13.0
Fixed
6.18.33
Type
ECOSYSTEM
Events
Introduced
6.19.0
Fixed
7.0.10

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-52974.json"