PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-23414 Linux CVE debrief

A HIGH severity vulnerability was found in the Linux kernel, with a CVSS score of 7.5. The vulnerability is related to the tls: Purge async_hold in tls_decrypt_async_wait(). This vulnerability causes a leak when tls_strp_msg_hold() fails part-way through, after having added some cloned skbs to the async_hold queue. The vulnerability affects Linux kernel versions 6.1.158 to 6.1.168, 6.6.114 to 6.6.131, 6.12.55 to 6.12.80, 6.17.5 to 6.18, 6.18.1 to 6.18.21, 6.19 to 6.19.11, and 7.0 rc1 to rc7.

Vendor
Linux
Product
Unknown
CVSS
HIGH 7.5
CISA KEV
Not listed in stored evidence
Original CVE published
2026-04-02
Original CVE updated
2026-07-14
Advisory published
2026-04-02
Advisory updated
2026-07-14

Who should care

Users of Linux kernel versions 6.1.158 to 6.1.168, 6.6.114 to 6.6.131, 6.12.55 to 6.12.80, 6.17.5 to 6.18, 6.18.1 to 6.18.21, 6.19 to 6.19.11, and 7.0 rc1 to rc7 should be aware of this vulnerability. Operators, platform administrators, vulnerability management teams, and security teams should review the vulnerability and take necessary actions.

Technical summary

The vulnerability is caused by a leak when tls_strp_msg_hold() fails part-way through, after having added some cloned skbs to the async_hold queue. tls_decrypt_sg() will then call tls_decrypt_async_wait() to process all pending decrypts, and drop back to synchronous mode. The async_hold queue pins encrypted input skbs while the AEAD engine references their scatterlist data. Once tls_decrypt_async_wait() returns, every AEAD operation has completed and the engine no longer references those skbs, so they can be freed unconditionally.

Defensive priority

High priority should be given to patching the Linux kernel to prevent potential data leaks.

Recommended defensive actions

  • Apply patches from Linux kernel stable branches
  • Review and update Linux kernel versions to ensure they are within the safe ranges
  • Monitor for potential data leaks
  • Review compensating controls for exposed systems while remediation is scheduled and verified
  • Check relevant monitoring, detection, and logs for exposed assets that need extra review
  • Track exceptions, retest remediated assets, and close the item only after evidence is documented
  • Confirm whether affected product deployments exist in managed environments and assign an owner for follow-up

Evidence notes

Evidence is based on official CVE and NVD records, as well as Linux kernel patch references. The vulnerability was introduced in Linux kernel versions 6.1.158 to 6.1.168, 6.6.114 to 6.6.131, 6.12.55 to 6.12.80, 6.17.5 to 6.18, 6.18.1 to 6.18.21, 6.19 to 6.19.11, and 7.0 rc1 to rc7. Defenders should verify patch deployment and review system logs for potential data leaks.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-04-02T12:16:20.633Z and has not been modified since then.