CVE-2025-38616: tls: handle data disappearing from under the TLS ULP
In the Linux kernel, the following vulnerability has been resolved:
tls: handle data disappearing from under the TLS ULP
TLS expects that it owns the receive queue of the TCP socket.
This cannot be guaranteed in case the reader of the TCP socket
entered before the TLS ULP was installed, or uses some non-standard
read API (eg. zerocopy ones). Replace the WARN_ON() and a buggy
early exit (which leaves anchor pointing to a freed skb) with real
error handling. Wipe the parsing state and tell the reader to retry.
We already reload the anchor every time we (re)acquire the socket lock,
so the only condition we need to avoid is an out of bounds read
(not having enough bytes in the socket for previously parsed record len).
If some data was read from under TLS but there's enough in the queue
we'll reload and decrypt what is most likely not a valid TLS record.
Leading to some undefined behavior from TLS perspective (corrupting
a stream? missing an alert? missing an attack?) but no kernel crash
should take place.
Security readout for executives and security teams
Plain-English summary
This Linux kernel issue affects the in-kernel TLS receive path. Under specific socket-read timing or non-standard read behavior, data can disappear from the queue TLS expects to own, leaving stale parsing state. The sources describe kernel crash risk and undefined TLS stream behavior, but provide no CVSS score or exploitation evidence.
Executive priority
Treat this as a targeted kernel maintenance issue, not an emergency based on current evidence. Prioritize patching where kernel TLS is used in production, especially on exposed service infrastructure, while tracking vendor guidance for affected kernel ranges.
Technical view
CVE-2025-38616 fixes Linux TLS ULP receive handling when TCP receive-queue contents change underneath it. The prior path used WARN_ON and an early exit that could leave an anchor pointing to a freed skb. The fix adds error handling, clears parsing state, and asks the reader to retry.
Likely exposure
Exposure is likely limited to Linux systems using kernel TLS ULP on TCP sockets, especially workloads with timing around TLS ULP installation or non-standard reads such as zerocopy. The provided affected-version data is incomplete and should be validated against distribution kernels.
Exploitation context
The source bundle does not report active exploitation, and KEV is false. The described condition is race or API-behavior dependent, not a simple unauthenticated remote exploit in the provided evidence. Impact appears tied to kernel stability and TLS stream correctness.
Researcher notes
Key evidence comes from the Linux kernel fix description. The issue is in TLS ULP receive queue assumptions, stale skb anchor handling, and parser state recovery. No CWE, CVSS, exploit proof, or downstream distro impact details are provided in the bundle.
Mitigation direction
Apply Linux stable or distribution kernel updates that include the referenced fixes.
Check vendor advisories for backported patches matching your exact kernel build.
Prioritize hosts using kernel TLS for internet-facing or high-throughput services.
Reduce reliance on affected kernel TLS paths where patching is delayed.
Monitor kernel logs for TLS ULP warnings, crashes, or socket handling anomalies.
Validation and detection
Inventory Linux kernel versions and distribution patch levels across affected systems.
Confirm kernels include one of the referenced stable commits or vendor equivalents.
Identify services or libraries using Linux kernel TLS ULP.
Review whether zerocopy or unusual socket read paths are used.
Validate updated kernels in staging with representative TLS traffic.
Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.
Potential ATT&CK relevance
Conservative CVE-to-ATT&CK context
These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.
ATT&CK lookup starting points
Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.
cve · low confidence lookup
CVE-2025-38616 mapping review
Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.
These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.