In the Linux kernel, the following vulnerability has been resolved:
net: tls: fix strparser anchor skb leak on offload RX setup failure
When tlssetdeviceoffloadrx() fails at tlsdevadd(), the error path calls tlsswfreeresourcesrx() to clean up the SW context that was initialized by tlssetswoffload(). This function calls tlsswreleaseresourcesrx() (which stops the strparser via tlsstrpstop()) and tlsswfreectxrx() (which kfrees the context), but never frees the anchor skb that was allocated by allocskb(0) in tlsstrpinit().
Note that tlsswfreeresourcesrx() is exclusively used for this "failed to start offload" code path, there's no other caller.
The leak did not exist before commit 84c61fe1a75b ("tls: rx: do not use the standard strparser"), because the standard strparser doesn't try to pre-allocate an skb.
The normal close path in tlsskprotoclose() handles cleanup by calling tlsswstrparserdone() (which calls tlsstrpdone()) after dropping the socket lock, because tlsstrpdone() does cancelworksync() and the strparser work handler takes the socket lock.
{
"cna_assigner": "Linux",
"osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/52xxx/CVE-2026-52974.json"
}