Linux Kernel TLS Data Handling Vulnerability Affecting Multiple Versions

CVE-2025-38616

What is CVE-2025-38616?

A vulnerability has been identified in the Linux kernel related to TLS data handling. This issue can arise when data disappears from the TLS User-Land Protocol (ULP). TLS requires ownership of the receive queue of the TCP socket, but this guarantees may fail if a reader accesses the socket prior to the TLS ULP installation or employs non-standard read APIs, such as zerocopy methods. The flaw was addressed by replacing the inadequate error handling mechanism with a more robust solution that ensures proper management of the parsing state and instructs the reader to retry. Consequently, while some data may be read under TLS conditions, issues may still emerge during decryption that could lead to undefined behavior within the TLS protocol, such as stream corruption, alerts being missed, or potential security threats, all without causing a kernel crash.

References