PatchSiren cyber security CVE debrief
CVE-2026-31533 Linux CVE debrief
A use-after-free vulnerability was discovered in the Linux kernel's TLS encryption handling. The vulnerability occurs when the -EBUSY error path in tls_do_encryption() is triggered, leading to double cleanup of encrypt_pending and the scatterlist entry. This can cause a use-after-free when a cryptd callback is still pending, resulting in a potential system crash or code execution.
- Vendor
- Linux
- Product
- Unknown
- CVSS
- CRITICAL 9.8
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-04-23
- Original CVE updated
- 2026-07-14
- Advisory published
- 2026-04-23
- Advisory updated
- 2026-07-14
Who should care
System administrators and security teams responsible for Linux kernel-based systems, especially those using TLS encryption, should be aware of this vulnerability and take immediate action to patch affected systems.
Technical summary
The vulnerability is caused by a use-after-free in the -EBUSY error path of tls_do_encryption(). When crypto_aead_encrypt() returns -EBUSY, the request is enqueued to the cryptd backlog and the async callback tls_encrypt_done() will be invoked upon completion. However, if tls_encrypt_async_wait() returns an error, the synchronous error path in tls_do_encryption() performs the same cleanup again, double-decrementing encrypt_pending and double-restoring the scatterlist. This can lead to a use-after-free when a subsequent sendmsg frees the tls_rec via bpf_exec_tx_verdict() while a cryptd callback is still pending.
Defensive priority
High
Recommended defensive actions
- Apply the official patches provided by the Linux kernel maintainers.
- Ensure that all Linux kernel-based systems are running with the latest kernel version.
- Monitor system logs for potential exploitation attempts.
- Implement additional security controls, such as network segmentation and access controls, to limit the attack surface.
- Review compensating controls for exposed systems while remediation is scheduled and verified.
- Check relevant monitoring, detection, and logs for exposed assets that need extra review.
- Track exceptions, retest remediated assets, and close the item only after evidence is documented.
Evidence notes
The vulnerability was introduced by commit 859054147318 (net: tls: handle backlogging of crypto requests). The fix involves skipping the synchronous cleanup when the -EBUSY async wait returns an error.
Official resources
-
CVE-2026-31533 CVE record
CVE.org
-
CVE-2026-31533 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
416baaa9-dc9f-4396-8d5f-8c081fb06d67 - Patch
-
Mitigation or vendor reference
416baaa9-dc9f-4396-8d5f-8c081fb06d67 - Patch
-
Mitigation or vendor reference
416baaa9-dc9f-4396-8d5f-8c081fb06d67 - Patch
-
Mitigation or vendor reference
416baaa9-dc9f-4396-8d5f-8c081fb06d67 - Patch
-
Mitigation or vendor reference
416baaa9-dc9f-4396-8d5f-8c081fb06d67 - Patch
-
Mitigation or vendor reference
416baaa9-dc9f-4396-8d5f-8c081fb06d67 - Patch
-
Mitigation or vendor reference
416baaa9-dc9f-4396-8d5f-8c081fb06d67 - Patch
AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-04-23T18:16:26.857Z and has not been modified since then.