CVE-2025-39682 (GCVE-0-2025-39682)
Vulnerability from cvelistv5
Published
2025-09-05 17:20
Modified
2025-09-29 05:57
Severity ?
Summary
In the Linux kernel, the following vulnerability has been resolved: tls: fix handling of zero-length records on the rx_list Each recvmsg() call must process either - only contiguous DATA records (any number of them) - one non-DATA record If the next record has different type than what has already been processed we break out of the main processing loop. If the record has already been decrypted (which may be the case for TLS 1.3 where we don't know type until decryption) we queue the pending record to the rx_list. Next recvmsg() will pick it up from there. Queuing the skb to rx_list after zero-copy decrypt is not possible, since in that case we decrypted directly to the user space buffer, and we don't have an skb to queue (darg.skb points to the ciphertext skb for access to metadata like length). Only data records are allowed zero-copy, and we break the processing loop after each non-data record. So we should never zero-copy and then find out that the record type has changed. The corner case we missed is when the initial record comes from rx_list, and it's zero length.
Impacted products
Vendor Product Version
Linux Linux Version: 84c61fe1a75b4255df1e1e7c054c9e6d048da417
Version: 84c61fe1a75b4255df1e1e7c054c9e6d048da417
Version: 84c61fe1a75b4255df1e1e7c054c9e6d048da417
Version: 84c61fe1a75b4255df1e1e7c054c9e6d048da417
Version: 84c61fe1a75b4255df1e1e7c054c9e6d048da417
Create a notification for this product.
   Linux Linux Version: 6.0
Create a notification for this product.
Show details on NVD website


{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "net/tls/tls_sw.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "2902c3ebcca52ca845c03182000e8d71d3a5196f",
              "status": "affected",
              "version": "84c61fe1a75b4255df1e1e7c054c9e6d048da417",
              "versionType": "git"
            },
            {
              "lessThan": "c09dd3773b5950e9cfb6c9b9a5f6e36d06c62677",
              "status": "affected",
              "version": "84c61fe1a75b4255df1e1e7c054c9e6d048da417",
              "versionType": "git"
            },
            {
              "lessThan": "3439c15ae91a517cf3c650ea15a8987699416ad9",
              "status": "affected",
              "version": "84c61fe1a75b4255df1e1e7c054c9e6d048da417",
              "versionType": "git"
            },
            {
              "lessThan": "29c0ce3c8cdb6dc5d61139c937f34cb888a6f42e",
              "status": "affected",
              "version": "84c61fe1a75b4255df1e1e7c054c9e6d048da417",
              "versionType": "git"
            },
            {
              "lessThan": "62708b9452f8eb77513115b17c4f8d1a22ebf843",
              "status": "affected",
              "version": "84c61fe1a75b4255df1e1e7c054c9e6d048da417",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "net/tls/tls_sw.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.0"
            },
            {
              "lessThan": "6.0",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.149",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.103",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.44",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.16.*",
              "status": "unaffected",
              "version": "6.16.4",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.17",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.149",
                  "versionStartIncluding": "6.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.103",
                  "versionStartIncluding": "6.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.44",
                  "versionStartIncluding": "6.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.16.4",
                  "versionStartIncluding": "6.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.17",
                  "versionStartIncluding": "6.0",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ntls: fix handling of zero-length records on the rx_list\n\nEach recvmsg() call must process either\n - only contiguous DATA records (any number of them)\n - one non-DATA record\n\nIf the next record has different type than what has already been\nprocessed we break out of the main processing loop. If the record\nhas already been decrypted (which may be the case for TLS 1.3 where\nwe don\u0027t know type until decryption) we queue the pending record\nto the rx_list. Next recvmsg() will pick it up from there.\n\nQueuing the skb to rx_list after zero-copy decrypt is not possible,\nsince in that case we decrypted directly to the user space buffer,\nand we don\u0027t have an skb to queue (darg.skb points to the ciphertext\nskb for access to metadata like length).\n\nOnly data records are allowed zero-copy, and we break the processing\nloop after each non-data record. So we should never zero-copy and\nthen find out that the record type has changed. The corner case\nwe missed is when the initial record comes from rx_list, and it\u0027s\nzero length."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-09-29T05:57:19.459Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/2902c3ebcca52ca845c03182000e8d71d3a5196f"
        },
        {
          "url": "https://git.kernel.org/stable/c/c09dd3773b5950e9cfb6c9b9a5f6e36d06c62677"
        },
        {
          "url": "https://git.kernel.org/stable/c/3439c15ae91a517cf3c650ea15a8987699416ad9"
        },
        {
          "url": "https://git.kernel.org/stable/c/29c0ce3c8cdb6dc5d61139c937f34cb888a6f42e"
        },
        {
          "url": "https://git.kernel.org/stable/c/62708b9452f8eb77513115b17c4f8d1a22ebf843"
        }
      ],
      "title": "tls: fix handling of zero-length records on the rx_list",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-39682",
    "datePublished": "2025-09-05T17:20:48.657Z",
    "dateReserved": "2025-04-16T07:20:57.113Z",
    "dateUpdated": "2025-09-29T05:57:19.459Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2025-39682\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2025-09-05T18:15:44.670\",\"lastModified\":\"2025-09-08T16:25:38.810\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\ntls: fix handling of zero-length records on the rx_list\\n\\nEach recvmsg() call must process either\\n - only contiguous DATA records (any number of them)\\n - one non-DATA record\\n\\nIf the next record has different type than what has already been\\nprocessed we break out of the main processing loop. If the record\\nhas already been decrypted (which may be the case for TLS 1.3 where\\nwe don\u0027t know type until decryption) we queue the pending record\\nto the rx_list. Next recvmsg() will pick it up from there.\\n\\nQueuing the skb to rx_list after zero-copy decrypt is not possible,\\nsince in that case we decrypted directly to the user space buffer,\\nand we don\u0027t have an skb to queue (darg.skb points to the ciphertext\\nskb for access to metadata like length).\\n\\nOnly data records are allowed zero-copy, and we break the processing\\nloop after each non-data record. So we should never zero-copy and\\nthen find out that the record type has changed. The corner case\\nwe missed is when the initial record comes from rx_list, and it\u0027s\\nzero length.\"}],\"metrics\":{},\"references\":[{\"url\":\"https://git.kernel.org/stable/c/2902c3ebcca52ca845c03182000e8d71d3a5196f\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/29c0ce3c8cdb6dc5d61139c937f34cb888a6f42e\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/3439c15ae91a517cf3c650ea15a8987699416ad9\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/62708b9452f8eb77513115b17c4f8d1a22ebf843\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/c09dd3773b5950e9cfb6c9b9a5f6e36d06c62677\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading…

Loading…

Loading…

Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.


Loading…