{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2025-38018","assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","state":"PUBLISHED","assignerShortName":"Linux","dateReserved":"2025-04-16T04:51:23.977Z","datePublished":"2025-06-18T09:28:26.443Z","dateUpdated":"2026-05-11T21:19:43.492Z"},"containers":{"cna":{"providerMetadata":{"orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux","dateUpdated":"2026-05-11T21:19:43.492Z"},"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nnet/tls: fix kernel panic when alloc_page failed\n\nWe cannot set frag_list to NULL pointer when alloc_page failed.\nIt will be used in tls_strp_check_queue_ok when the next time\ntls_strp_read_sock is called.\n\nThis is because we don't reset full_len in tls_strp_flush_anchor_copy()\nso the recv path will try to continue handling the partial record\non the next call but we dettached the rcvq from the frag list.\nAlternative fix would be to reset full_len.\n\nUnable to handle kernel NULL pointer dereference\nat virtual address 0000000000000028\n Call trace:\n tls_strp_check_rcv+0x128/0x27c\n tls_strp_data_ready+0x34/0x44\n tls_data_ready+0x3c/0x1f0\n tcp_data_ready+0x9c/0xe4\n tcp_data_queue+0xf6c/0x12d0\n tcp_rcv_established+0x52c/0x798"}],"affected":[{"product":"Linux","vendor":"Linux","defaultStatus":"unaffected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["net/tls/tls_strp.c"],"versions":[{"version":"84c61fe1a75b4255df1e1e7c054c9e6d048da417","lessThan":"8f7f96549bc55e4ef3a6b499bc5011e5de2f46c4","status":"affected","versionType":"git"},{"version":"84c61fe1a75b4255df1e1e7c054c9e6d048da417","lessThan":"406d05da26835943568e61bb751c569efae071d4","status":"affected","versionType":"git"},{"version":"84c61fe1a75b4255df1e1e7c054c9e6d048da417","lessThan":"a11b8c0be6acd0505a58ff40d474bd778b25b93a","status":"affected","versionType":"git"},{"version":"84c61fe1a75b4255df1e1e7c054c9e6d048da417","lessThan":"5f1f833cb388592bb46104463a1ec1b7c41975b6","status":"affected","versionType":"git"},{"version":"84c61fe1a75b4255df1e1e7c054c9e6d048da417","lessThan":"491deb9b8c4ad12fe51d554a69b8165b9ef9429f","status":"affected","versionType":"git"}]},{"product":"Linux","vendor":"Linux","defaultStatus":"affected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["net/tls/tls_strp.c"],"versions":[{"version":"6.0","status":"affected"},{"version":"0","lessThan":"6.0","status":"unaffected","versionType":"semver"},{"version":"6.1.140","lessThanOrEqual":"6.1.*","status":"unaffected","versionType":"semver"},{"version":"6.6.92","lessThanOrEqual":"6.6.*","status":"unaffected","versionType":"semver"},{"version":"6.12.30","lessThanOrEqual":"6.12.*","status":"unaffected","versionType":"semver"},{"version":"6.14.8","lessThanOrEqual":"6.14.*","status":"unaffected","versionType":"semver"},{"version":"6.15","lessThanOrEqual":"*","status":"unaffected","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.0","versionEndExcluding":"6.1.140"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.0","versionEndExcluding":"6.6.92"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.0","versionEndExcluding":"6.12.30"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.0","versionEndExcluding":"6.14.8"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.0","versionEndExcluding":"6.15"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/8f7f96549bc55e4ef3a6b499bc5011e5de2f46c4"},{"url":"https://git.kernel.org/stable/c/406d05da26835943568e61bb751c569efae071d4"},{"url":"https://git.kernel.org/stable/c/a11b8c0be6acd0505a58ff40d474bd778b25b93a"},{"url":"https://git.kernel.org/stable/c/5f1f833cb388592bb46104463a1ec1b7c41975b6"},{"url":"https://git.kernel.org/stable/c/491deb9b8c4ad12fe51d554a69b8165b9ef9429f"}],"title":"net/tls: fix kernel panic when alloc_page failed","x_generator":{"engine":"bippy-1.2.0"}},"adp":[{"title":"CVE Program Container","references":[{"url":"https://lists.debian.org/debian-lts-announce/2025/08/msg00010.html"}],"providerMetadata":{"orgId":"af854a3a-2127-422b-91ae-364da2661108","shortName":"CVE","dateUpdated":"2025-11-03T19:58:19.276Z"}}]}}