PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-31533 Linux CVE debrief

A use-after-free vulnerability was discovered in the Linux kernel's TLS encryption handling. The vulnerability occurs when the -EBUSY error path in tls_do_encryption() is triggered, leading to double cleanup of encrypt_pending and the scatterlist entry. This can cause a use-after-free when a cryptd callback is still pending, resulting in a potential system crash or code execution.

Vendor
Linux
Product
Unknown
CVSS
CRITICAL 9.8
CISA KEV
Not listed in stored evidence
Original CVE published
2026-04-23
Original CVE updated
2026-07-14
Advisory published
2026-04-23
Advisory updated
2026-07-14

Who should care

System administrators and security teams responsible for Linux kernel-based systems, especially those using TLS encryption, should be aware of this vulnerability and take immediate action to patch affected systems.

Technical summary

The vulnerability is caused by a use-after-free in the -EBUSY error path of tls_do_encryption(). When crypto_aead_encrypt() returns -EBUSY, the request is enqueued to the cryptd backlog and the async callback tls_encrypt_done() will be invoked upon completion. However, if tls_encrypt_async_wait() returns an error, the synchronous error path in tls_do_encryption() performs the same cleanup again, double-decrementing encrypt_pending and double-restoring the scatterlist. This can lead to a use-after-free when a subsequent sendmsg frees the tls_rec via bpf_exec_tx_verdict() while a cryptd callback is still pending.

Defensive priority

High

Recommended defensive actions

  • Apply the official patches provided by the Linux kernel maintainers.
  • Ensure that all Linux kernel-based systems are running with the latest kernel version.
  • Monitor system logs for potential exploitation attempts.
  • Implement additional security controls, such as network segmentation and access controls, to limit the attack surface.
  • Review compensating controls for exposed systems while remediation is scheduled and verified.
  • Check relevant monitoring, detection, and logs for exposed assets that need extra review.
  • Track exceptions, retest remediated assets, and close the item only after evidence is documented.

Evidence notes

The vulnerability was introduced by commit 859054147318 (net: tls: handle backlogging of crypto requests). The fix involves skipping the synchronous cleanup when the -EBUSY async wait returns an error.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-04-23T18:16:26.857Z and has not been modified since then.