{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-23414", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2026-01-13T15:37:46.014Z", "datePublished": "2026-04-02T11:40:55.746Z", "dateUpdated": "2026-05-11T22:06:26.860Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2026-05-11T22:06:26.860Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ntls: Purge async_hold in tls_decrypt_async_wait()\n\nThe async_hold queue pins encrypted input skbs while\nthe AEAD engine references their scatterlist data. Once\ntls_decrypt_async_wait() returns, every AEAD operation\nhas completed and the engine no longer references those\nskbs, so they can be freed unconditionally.\n\nA subsequent patch adds batch async decryption to\ntls_sw_read_sock(), introducing a new call site that\nmust drain pending AEAD operations and release held\nskbs. Move __skb_queue_purge(&ctx->async_hold) into\ntls_decrypt_async_wait() so the purge is centralized\nand every caller -- recvmsg's drain path, the -EBUSY\nfallback in tls_do_decryption(), and the new read_sock\nbatch path -- releases held skbs on synchronization\nwithout each site managing the purge independently.\n\nThis fixes a leak when tls_strp_msg_hold() fails part-way through,\nafter having added some cloned skbs to the async_hold\nqueue. tls_decrypt_sg() will then call tls_decrypt_async_wait() to\nprocess all pending decrypts, and drop back to synchronous mode, but\ntls_sw_recvmsg() only flushes the async_hold queue when one record has\nbeen processed in \"fully-async\" mode, which may not be the case here.\n\n[pabeni@redhat.com: added leak comment]"}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "baseScore": 7.5, "baseSeverity": "HIGH"}}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["net/tls/tls_sw.c"], "versions": [{"version": "9f83fd0c179e0f458e824e417f9d5ad53443f685", "lessThan": "ac435be7c7613eb13a5a8ceb5182e10b50c9ce87", "status": "affected", "versionType": "git"}, {"version": "c61d4368197d65c4809d9271f3b85325a600586a", "lessThan": "2dcf324855c34e7f934ce978aa19b645a8f3ee71", "status": "affected", "versionType": "git"}, {"version": "39dec4ea3daf77f684308576baf483b55ca7f160", "lessThan": "6dc11e0bd0a5466bcc76d275c09e5537bd0597dd", "status": "affected", "versionType": "git"}, {"version": "b8a6ff84abbcbbc445463de58704686011edc8e1", "lessThan": "9f557c7eae127b44d2e863917dc986a4b6cb1269", "status": "affected", "versionType": "git"}, {"version": "b8a6ff84abbcbbc445463de58704686011edc8e1", "lessThan": "fd8037e1f18ca5336934d0e0e7e1a4fe097e749d", "status": "affected", "versionType": "git"}, {"version": "b8a6ff84abbcbbc445463de58704686011edc8e1", "lessThan": "84a8335d8300576f1b377ae24abca1d9f197807f", "status": "affected", "versionType": "git"}, {"version": "4fc109d0ab196bd943b7451276690fb6bb48c2e0", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["net/tls/tls_sw.c"], "versions": [{"version": "6.18", "status": "affected"}, {"version": "0", "lessThan": "6.18", "status": "unaffected", "versionType": "semver"}, {"version": "6.1.168", "lessThanOrEqual": "6.1.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.6.131", "lessThanOrEqual": "6.6.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.12.80", "lessThanOrEqual": "6.12.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.18.21", "lessThanOrEqual": "6.18.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.19.11", "lessThanOrEqual": "6.19.*", "status": "unaffected", "versionType": "semver"}, {"version": "7.0", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.1.158", "versionEndExcluding": "6.1.168"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.6.114", "versionEndExcluding": "6.6.131"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.12.55", "versionEndExcluding": "6.12.80"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.18", "versionEndExcluding": "6.18.21"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.18", "versionEndExcluding": "6.19.11"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.18", "versionEndExcluding": "7.0"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.17.5"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/ac435be7c7613eb13a5a8ceb5182e10b50c9ce87"}, {"url": "https://git.kernel.org/stable/c/2dcf324855c34e7f934ce978aa19b645a8f3ee71"}, {"url": "https://git.kernel.org/stable/c/6dc11e0bd0a5466bcc76d275c09e5537bd0597dd"}, {"url": "https://git.kernel.org/stable/c/9f557c7eae127b44d2e863917dc986a4b6cb1269"}, {"url": "https://git.kernel.org/stable/c/fd8037e1f18ca5336934d0e0e7e1a4fe097e749d"}, {"url": "https://git.kernel.org/stable/c/84a8335d8300576f1b377ae24abca1d9f197807f"}], "title": "tls: Purge async_hold in tls_decrypt_async_wait()", "x_generator": {"engine": "bippy-1.2.0"}}}}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "74354A9E-64FE-48C2-B604-2DD58B23322C", "versionEndExcluding": "6.1.168", "versionStartIncluding": "6.1.158", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "716DD6F7-573E-4E87-AAEC-09CE13915C2F", "versionEndExcluding": "6.6.131", "versionStartIncluding": "6.6.114", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "DC24881D-6C39-4AC6-99CE-F73C48E329DF", "versionEndExcluding": "6.12.80", "versionStartIncluding": "6.12.55", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "27929282-2519-484B-B04C-5B62B31FBC5E", "versionEndExcluding": "6.18", "versionStartIncluding": "6.17.5", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "E2E98868-4027-46EE-AD08-92C9D7283181", "versionEndExcluding": "6.18.21", "versionStartIncluding": "6.18.1", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "4CA2E747-A9EC-4518-9AA2-B4247FC748B7", "versionEndExcluding": "6.19.11", "versionStartIncluding": "6.19", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.18:-:*:*:*:*:*:*", "matchCriteriaId": "DCE57113-2223-4308-A0F2-5E6ECFBB3C23", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*", "matchCriteriaId": "F253B622-8837-4245-BCE5-A7BF8FC76A16", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*", "matchCriteriaId": "4AE85AD8-4641-4E7C-A2F4-305E2CD9EE64", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*", "matchCriteriaId": "F666C8D8-6538-46D4-B318-87610DE64C34", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*", "matchCriteriaId": "02259FDA-961B-47BC-AE7F-93D7EC6E90C2", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc5:*:*:*:*:*:*", "matchCriteriaId": "58A9FEFF-C040-420D-8F0A-BFDAAA1DF258", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc6:*:*:*:*:*:*", "matchCriteriaId": "1D2315C0-D46F-4F85-9754-F9E5E11374A6", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc7:*:*:*:*:*:*", "matchCriteriaId": "512EE3A8-A590-4501-9A94-5D4B268D6138", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ntls: Purge async_hold in tls_decrypt_async_wait()\n\nThe async_hold queue pins encrypted input skbs while\nthe AEAD engine references their scatterlist data. Once\ntls_decrypt_async_wait() returns, every AEAD operation\nhas completed and the engine no longer references those\nskbs, so they can be freed unconditionally.\n\nA subsequent patch adds batch async decryption to\ntls_sw_read_sock(), introducing a new call site that\nmust drain pending AEAD operations and release held\nskbs. Move __skb_queue_purge(&ctx->async_hold) into\ntls_decrypt_async_wait() so the purge is centralized\nand every caller -- recvmsg's drain path, the -EBUSY\nfallback in tls_do_decryption(), and the new read_sock\nbatch path -- releases held skbs on synchronization\nwithout each site managing the purge independently.\n\nThis fixes a leak when tls_strp_msg_hold() fails part-way through,\nafter having added some cloned skbs to the async_hold\nqueue. tls_decrypt_sg() will then call tls_decrypt_async_wait() to\nprocess all pending decrypts, and drop back to synchronous mode, but\ntls_sw_recvmsg() only flushes the async_hold queue when one record has\nbeen processed in \"fully-async\" mode, which may not be the case here.\n\n[pabeni@redhat.com: added leak comment]"}], "id": "CVE-2026-23414", "lastModified": "2026-04-27T14:16:31.333", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-04-02T12:16:20.633", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/2dcf324855c34e7f934ce978aa19b645a8f3ee71"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/6dc11e0bd0a5466bcc76d275c09e5537bd0597dd"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/84a8335d8300576f1b377ae24abca1d9f197807f"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/9f557c7eae127b44d2e863917dc986a4b6cb1269"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/ac435be7c7613eb13a5a8ceb5182e10b50c9ce87"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/fd8037e1f18ca5336934d0e0e7e1a4fe097e749d"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-401"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"bugzilla": {"description": "kernel: tls: Purge async_hold in tls_decrypt_async_wait()", "id": "2454314", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2454314"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.0", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "draft"}, "cwe": "CWE-911", "details": ["A flaw was found in the Linux kernel's Transport Layer Security (TLS) subsystem. When processing TLS messages, a memory leak can occur if the `tls_strp_msg_hold()` function fails. This failure can lead to socket kernel buffers (skbs) being added to an internal queue but not properly released, consuming system memory. This issue could potentially lead to a Denial of Service (DoS) condition."], "name": "CVE-2026-23414", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2026-04-02T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-23414\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-23414\nhttps://lore.kernel.org/linux-cve-announce/2026040203-CVE-2026-23414-d0e3@gregkh/T"], "threat_severity": "Moderate"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[c61d4368197d65c4809d9271f3b85325a600586a,2dcf324855c34e7f934ce978aa19b645a8f3ee71)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[39dec4ea3daf77f684308576baf483b55ca7f160,6dc11e0bd0a5466bcc76d275c09e5537bd0597dd)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[b8a6ff84abbcbbc445463de58704686011edc8e1,9f557c7eae127b44d2e863917dc986a4b6cb1269)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[b8a6ff84abbcbbc445463de58704686011edc8e1,fd8037e1f18ca5336934d0e0e7e1a4fe097e749d)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[b8a6ff84abbcbbc445463de58704686011edc8e1,84a8335d8300576f1b377ae24abca1d9f197807f)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "9f83fd0c179e0f458e824e417f9d5ad53443f685"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "4fc109d0ab196bd943b7451276690fb6bb48c2e0"}}], "enrichment": {"confidence": 99.0, "confidence_source": "inferred", "scores": [{"score": 99.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Linux", "source": "cna", "vendor": "Linux"}, "product": "linux_kernel", "vendor": "linux"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "6.18"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[0,6.18)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.6.131,6.7.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.12.80,6.13.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.18.21,6.19.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.19.11,6.20.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[0,*]"}}], "enrichment": {"confidence": 99.0, "confidence_source": "inferred", "scores": [{"score": 99.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Linux", "source": "cna", "vendor": "Linux"}, "product": "linux_kernel", "vendor": "linux"}], "analysis": {"en": {"generated_at": "2026-04-28T16:50:16.136865+00:00", "value": {"mitigation_remediation": ["Update the Linux kernel to a release that contains the async_hold purge patch.", "If a kernel upgrade is not possible immediately, look for vendor\u2011issued temporary mitigations or disable the affected TLS decryption path where feasible.", "Check your distribution\u2019s security advisories for relevant updates and apply them as soon as available.", "Monitor kernel memory usage for unexpected growth that may indicate the resource leak."], "summary": {"action": "Apply Patch", "impact": "Memory Leak causing Resource Exhaustion"}, "threat_synthesis": {"affected_systems": "All systems running any Linux kernel that incorporates the affected TLS code paths are vulnerable. The CVE does not provide a specific affected-version range, so all kernel releases before the backported patch implementing the purge of the async_hold queue may be impacted. This includes mainstream distributions that have shipped kernels before the recent security updates.", "description_and_impact": "A flaw in the Linux kernel\u2019s TLS asynchronous decryption flow left encrypted socket buffers queued in an async_hold list that were never released after decryption completed. This unused memory is leaked into the kernel heap, potentially allowing an attacker or network client to grow large numbers of buffers and exhaust kernel memory, leading to degraded performance or system failure. The leak is a classic example of CWE-401: Memory Leak, and the failure to purge the queue also reflects CWE-911: Insufficient Resource Monitoring and Control.", "risk_and_exploitability": "The CVSS score of 7.5 indicates a high severity, while the EPSS score being less than 1\u202f% suggests a low likelihood of exploitation. The vulnerability is not listed in the CISA KEV catalog. Based on the description, it is inferred that an attacker would need to generate TLS traffic that triggers a partial decryption failure, causing the async_hold queue to accumulate unreleased socket buffers. Once the heap memory is exhausted, the kernel could reject further allocations or crash, creating a denial\u2011of\u2011service condition. The attack vector is likely network\u2011based, and requires continuous TLS communication to reach the resource exhaustion threshold."}}}}, "created": "2026-04-02T20:12:50.017464+00:00", "updated": "2026-04-28T17:00:13.425088+00:00", "vendors": ["linux", "linux$PRODUCT$linux_kernel"]}