LiveActive security incident?Get immediate response
CVE Record

CVE-2025-38616: tls: handle data disappearing from under the TLS ULP

In the Linux kernel, the following vulnerability has been resolved: tls: handle data disappearing from under the TLS ULP TLS expects that it owns the receive queue of the TCP socket. This cannot be guaranteed in case the reader of the TCP socket entered before the TLS ULP was installed, or uses some non-standard read API (eg. zerocopy ones). Replace the WARN_ON() and a buggy early exit (which leaves anchor pointing to a freed skb) with real error handling. Wipe the parsing state and tell the reader to retry. We already reload the anchor every time we (re)acquire the socket lock, so the only condition we need to avoid is an out of bounds read (not having enough bytes in the socket for previously parsed record len). If some data was read from under TLS but there's enough in the queue we'll reload and decrypt what is most likely not a valid TLS record. Leading to some undefined behavior from TLS perspective (corrupting a stream? missing an alert? missing an attack?) but no kernel crash should take place.

UnknownCVSS not scoredNot KEV-listedUpdated
Glexia's TakeAutomated analysisunknown

Security readout for executives and security teams

Plain-English summary

This Linux kernel issue affects the in-kernel TLS receive path. Under specific socket-read timing or non-standard read behavior, data can disappear from the queue TLS expects to own, leaving stale parsing state. The sources describe kernel crash risk and undefined TLS stream behavior, but provide no CVSS score or exploitation evidence.

Executive priority

Treat this as a targeted kernel maintenance issue, not an emergency based on current evidence. Prioritize patching where kernel TLS is used in production, especially on exposed service infrastructure, while tracking vendor guidance for affected kernel ranges.

Technical view

CVE-2025-38616 fixes Linux TLS ULP receive handling when TCP receive-queue contents change underneath it. The prior path used WARN_ON and an early exit that could leave an anchor pointing to a freed skb. The fix adds error handling, clears parsing state, and asks the reader to retry.

Likely exposure

Exposure is likely limited to Linux systems using kernel TLS ULP on TCP sockets, especially workloads with timing around TLS ULP installation or non-standard reads such as zerocopy. The provided affected-version data is incomplete and should be validated against distribution kernels.

Exploitation context

The source bundle does not report active exploitation, and KEV is false. The described condition is race or API-behavior dependent, not a simple unauthenticated remote exploit in the provided evidence. Impact appears tied to kernel stability and TLS stream correctness.

Researcher notes

Key evidence comes from the Linux kernel fix description. The issue is in TLS ULP receive queue assumptions, stale skb anchor handling, and parser state recovery. No CWE, CVSS, exploit proof, or downstream distro impact details are provided in the bundle.

Mitigation direction

  • Apply Linux stable or distribution kernel updates that include the referenced fixes.
  • Check vendor advisories for backported patches matching your exact kernel build.
  • Prioritize hosts using kernel TLS for internet-facing or high-throughput services.
  • Reduce reliance on affected kernel TLS paths where patching is delayed.
  • Monitor kernel logs for TLS ULP warnings, crashes, or socket handling anomalies.

Validation and detection

  • Inventory Linux kernel versions and distribution patch levels across affected systems.
  • Confirm kernels include one of the referenced stable commits or vendor equivalents.
  • Identify services or libraries using Linux kernel TLS ULP.
  • Review whether zerocopy or unusual socket read paths are used.
  • Validate updated kernels in staging with representative TLS traffic.
Prepared
Confidence
medium
Sources
7

Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.

Potential ATT&CK relevance

Conservative CVE-to-ATT&CK context

These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.

ATT&CK lookup starting points

Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.

cve · low confidence lookup

CVE-2025-38616 mapping review

Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.

Open ATT&CK lookup
Vulnerability profileCVE Program record
Severity
Unknown
CVSS
Not scored
Known Exploited
No
Published
Official CVE source material

CNA and ADP enrichment extracted from CVE v5

These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.

0CVSS vectors
3Timeline events
1ADP providers
6Source links

SSVC decision data

CISA-ADPCISA Coordinator
Timestamp
Version
2.0.3
Exploitation: noneAutomatable: noTechnical Impact: partial

Vulnerability timeline

Timeline events are normalized from CVE metadata, CNA source timelines, ADP timelines, and KEV metadata when present.

  1. CVE reservedCVE Program

    The CVE ID was reserved by the assigning CNA.

  2. CVE publishedCVE Program

    The CVE record was published.

  3. CVE updatedCVE Program

    The CVE record metadata indicates this as the latest update time.

ADP provider summaries

CISA-ADPCISA ADP Vulnrichment
other:ssvc
Affected products

Products and packages named in the record

VendorProductVersion / packageStatus
LinuxLinux84c61fe1a75b4255df1e1e7c054c9e6d048da417, 84c61fe1a75b4255df1e1e7c054c9e6d048da417, 84c61fe1a75b4255df1e1e7c054c9e6d048da417, 84c61fe1a75b4255df1e1e7c054c9e6d048da417, 84c61fe1a75b4255df1e1e7c054c9e6d048da417unaffected
LinuxLinux6.0, 0, 6.6.103, 6.12.43, 6.15.11, 6.16.2, 6.17affected
Weakness

CWE details

No CWE listed

CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.