{ "document": { "category": "csaf_base", "csaf_version": "2.0", "distribution": { "tlp": { "label": "WHITE" } }, "lang": "en", "notes": [ { "category": "legal_disclaimer", "text": "The Netherlands Cyber Security Center (henceforth: NCSC-NL) maintains this portal to enhance access to its information and vulnerabilities. The use of this information is subject to the following terms and conditions:\n\nThe vulnerabilities disclosed in this portal are gathered by NCSC-NL from a variety of open sources, which the user can retrieve from other platforms. NCSC-NL makes every reasonable effort to ensure that the content of this portal is kept up to date, and that it is accurate and complete. Nevertheless, NCSC-NL cannot entirely rule out the possibility of errors, and therefore cannot give any warranty in respect of its completeness, accuracy or real-time keeping up-to-date. NCSC-NL does not control nor guarantee the accuracy, relevance, timeliness or completeness of information obtained from these external sources. The vulnerabilities disclosed in this portal are intended solely for the convenience of professional parties to take appropriate measures to manage the risks posed to the cybersecurity. No rights can be derived from the information provided therein.\n\nNCSC-NL and the Kingdom of the Netherlands assume no legal liability or responsibility for any damage resulting from either the use or inability of use of the vulnerabilities disclosed in this portal. This includes damage resulting from the inaccuracy of incompleteness of the information contained in it.\nThe information on this page is subject to Dutch law. All disputes related to or arising from the use of this portal regarding the disclosure of vulnerabilities will be submitted to the competent court in The Hague. This choice of means also applies to the court in summary proceedings." } ], "publisher": { "category": "coordinator", "contact_details": "cert@ncsc.nl", "name": "National Cyber Security Centre", "namespace": "https://www.ncsc.nl/" }, "title": "CVE-2026-23414", "tracking": { "current_release_date": "2026-04-03T07:32:33.510687Z", "generator": { "date": "2026-02-17T15:00:00Z", "engine": { "name": "V.E.L.M.A", "version": "1.7" } }, "id": "CVE-2026-23414", "initial_release_date": "2026-04-02T12:27:31.440777Z", "revision_history": [ { "date": "2026-04-02T12:27:31.440777Z", "number": "1", "summary": "CVE created.| Source created.| CVE status created. (valid)| Description created for source.| References created (5)." }, { "date": "2026-04-02T12:27:37.441404Z", "number": "2", "summary": "NCSC Score created." }, { "date": "2026-04-02T12:38:47.290376Z", "number": "3", "summary": "Source created.| CVE status created. (valid)| Description created for source.| Products created (7).| Products connected (7).| References created (5)." }, { "date": "2026-04-02T12:38:59.958153Z", "number": "4", "summary": "NCSC Score updated." }, { "date": "2026-04-02T15:22:27.236814Z", "number": "5", "summary": "Source connected.| CVE status created. (valid)| EPSS created." }, { "date": "2026-04-02T15:22:36.693249Z", "number": "6", "summary": "NCSC Score updated." }, { "date": "2026-04-02T18:44:41.814301Z", "number": "7", "summary": "Source created.| CVE status created. (valid)| Products connected (2)." }, { "date": "2026-04-02T18:44:44.366722Z", "number": "8", "summary": "NCSC Score updated." }, { "date": "2026-04-03T00:28:30.864949Z", "number": "9", "summary": "Source created.| CVE status created. (valid)| Description created for source.| CVSS created.| Products connected (13).| Product Identifiers created (5).| References created (3).| CWES updated (1).| Vendor_assessment created." }, { "date": "2026-04-03T00:28:36.527268Z", "number": "10", "summary": "NCSC Score updated." }, { "date": "2026-04-03T06:43:53.551856Z", "number": "11", "summary": "Description created for source." } ], "status": "interim", "version": "11" } }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_version_range", "name": "vers:git/39dec4ea3daf77f684308576baf483b55ca7f160|<6dc11e0bd0a5466bcc76d275c09e5537bd0597dd", "product": { "name": "vers:git/39dec4ea3daf77f684308576baf483b55ca7f160|<6dc11e0bd0a5466bcc76d275c09e5537bd0597dd", "product_id": "CSAFPID-5984713" } }, { "category": "product_version_range", "name": "vers:git/4fc109d0ab196bd943b7451276690fb6bb48c2e0", "product": { "name": "vers:git/4fc109d0ab196bd943b7451276690fb6bb48c2e0", "product_id": "CSAFPID-5984718" } }, { "category": "product_version_range", "name": "vers:git/9f83fd0c179e0f458e824e417f9d5ad53443f685", "product": { "name": "vers:git/9f83fd0c179e0f458e824e417f9d5ad53443f685", "product_id": "CSAFPID-5984717" } }, { "category": "product_version_range", "name": "vers:git/b8a6ff84abbcbbc445463de58704686011edc8e1|<84a8335d8300576f1b377ae24abca1d9f197807f", "product": { "name": "vers:git/b8a6ff84abbcbbc445463de58704686011edc8e1|<84a8335d8300576f1b377ae24abca1d9f197807f", "product_id": "CSAFPID-5984716" } }, { "category": "product_version_range", "name": "vers:git/b8a6ff84abbcbbc445463de58704686011edc8e1|<9f557c7eae127b44d2e863917dc986a4b6cb1269", "product": { "name": "vers:git/b8a6ff84abbcbbc445463de58704686011edc8e1|<9f557c7eae127b44d2e863917dc986a4b6cb1269", "product_id": "CSAFPID-5984714" } }, { "category": "product_version_range", "name": "vers:git/b8a6ff84abbcbbc445463de58704686011edc8e1|async_hold) into\ntls_decrypt_async_wait() so the purge is centralized\nand every caller -- recvmsg's drain path, the -EBUSY\nfallback in tls_do_decryption(), and the new read_sock\nbatch path -- releases held skbs on synchronization\nwithout each site managing the purge independently.\n\nThis fixes a leak when tls_strp_msg_hold() fails part-way through,\nafter having added some cloned skbs to the async_hold\nqueue. tls_decrypt_sg() will then call tls_decrypt_async_wait() to\nprocess all pending decrypts, and drop back to synchronous mode, but\ntls_sw_recvmsg() only flushes the async_hold queue when one record has\nbeen processed in \"fully-async\" mode, which may not be the case here.\n\n[pabeni@redhat.com: added leak comment]", "title": "nvd - https://services.nvd.nist.gov/rest/json/cves/2.0?cveId=CVE-2026-23414" }, { "category": "description", "text": "In the Linux kernel, the following vulnerability has been resolved:\n\ntls: Purge async_hold in tls_decrypt_async_wait()\n\nThe async_hold queue pins encrypted input skbs while\nthe AEAD engine references their scatterlist data. Once\ntls_decrypt_async_wait() returns, every AEAD operation\nhas completed and the engine no longer references those\nskbs, so they can be freed unconditionally.\n\nA subsequent patch adds batch async decryption to\ntls_sw_read_sock(), introducing a new call site that\nmust drain pending AEAD operations and release held\nskbs. Move __skb_queue_purge(&ctx->async_hold) into\ntls_decrypt_async_wait() so the purge is centralized\nand every caller -- recvmsg's drain path, the -EBUSY\nfallback in tls_do_decryption(), and the new read_sock\nbatch path -- releases held skbs on synchronization\nwithout each site managing the purge independently.\n\nThis fixes a leak when tls_strp_msg_hold() fails part-way through,\nafter having added some cloned skbs to the async_hold\nqueue. tls_decrypt_sg() will then call tls_decrypt_async_wait() to\nprocess all pending decrypts, and drop back to synchronous mode, but\ntls_sw_recvmsg() only flushes the async_hold queue when one record has\nbeen processed in \"fully-async\" mode, which may not be the case here.\n\n[pabeni@redhat.com: added leak comment]", "title": "cveprojectv5 - https://raw.githubusercontent.com/CVEProject/cvelistV5/main/cves/2026/23xxx/CVE-2026-23414.json" }, { "category": "description", "text": "A flaw was found in the Linux kernel's Transport Layer Security (TLS) subsystem. When processing TLS messages, a memory leak can occur if the `tls_strp_msg_hold()` function fails. This failure can lead to socket kernel buffers (skbs) being added to an internal queue but not properly released, consuming system memory. This issue could potentially lead to a Denial of Service (DoS) condition.", "title": "redhat - https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-23414.json" }, { "category": "description", "text": "In the Linux kernel, the following vulnerability has been resolved: tls: Purge async_hold in tls_decrypt_async_wait() The async_hold queue pins encrypted input skbs while the AEAD engine references their scatterlist data. Once tls_decrypt_async_wait() returns, every AEAD operation has completed and the engine no longer references those skbs, so they can be freed unconditionally. A subsequent patch adds batch async decryption to tls_sw_read_sock(), introducing a new call site that must drain pending AEAD operations and release held skbs. Move __skb_queue_purge(&ctx->async_hold) into tls_decrypt_async_wait() so the purge is centralized and every caller -- recvmsg's drain path, the -EBUSY fallback in tls_do_decryption(), and the new read_sock batch path -- releases held skbs on synchronization without each site managing the purge independently. This fixes a leak when tls_strp_msg_hold() fails part-way through, after having added some cloned skbs to the async_hold queue. tls_decrypt_sg() will then call tls_decrypt_async_wait() to process all pending decrypts, and drop back to synchronous mode, but tls_sw_recvmsg() only flushes the async_hold queue when one record has been processed in \"fully-async\" mode, which may not be the case here. [pabeni@redhat.com: added leak comment]", "title": "debian - https://security-tracker.debian.org/tracker/CVE-2026-23414" }, { "category": "other", "text": "0.00018", "title": "EPSS" }, { "category": "other", "text": "4.0", "title": "NCSC Score" }, { "category": "other", "text": "Is related to an uncommon cwe id", "title": "NCSC Score top increasing factors" }, { "category": "other", "text": "Is related to a product by vendor Linux", "title": "NCSC Score top decreasing factors" }, { "category": "details", "text": "Severity: 2\n", "title": "Vendor assessment" } ], "product_status": { "known_affected": [ "CSAFPID-5271420", "CSAFPID-5984712", "CSAFPID-5984713", "CSAFPID-5984714", "CSAFPID-5984715", "CSAFPID-5984716", "CSAFPID-5984717", "CSAFPID-5984718", "CSAFPID-2036024", "CSAFPID-1439319", "CSAFPID-1453381", "CSAFPID-1453382", "CSAFPID-2858634", "CSAFPID-2858635" ], "known_not_affected": [ "CSAFPID-5271421", "CSAFPID-5971751", "CSAFPID-5984161", "CSAFPID-5984164", "CSAFPID-5984170", "CSAFPID-5984171", "CSAFPID-2036023", "CSAFPID-1439315", "CSAFPID-1439317", "CSAFPID-1439321", "CSAFPID-1453376", "CSAFPID-1453377", "CSAFPID-1453378", "CSAFPID-1453379", "CSAFPID-1453380" ] }, "references": [ { "category": "external", "summary": "Source - nvd", "url": "https://services.nvd.nist.gov/rest/json/cves/2.0?cveId=CVE-2026-23414" }, { "category": "external", "summary": "Source - cveprojectv5", "url": "https://raw.githubusercontent.com/CVEProject/cvelistV5/main/cves/2026/23xxx/CVE-2026-23414.json" }, { "category": "external", "summary": "Source - first", "url": "https://api.first.org/data/v1/epss?limit=10000&offset=0" }, { "category": "external", "summary": "Source - debian", "url": "https://security-tracker.debian.org/tracker/CVE-2026-23414" }, { "category": "external", "summary": "Source - redhat", "url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-23414.json" }, { "category": "external", "summary": "Reference - cveprojectv5; nvd", "url": "https://git.kernel.org/stable/c/2dcf324855c34e7f934ce978aa19b645a8f3ee71" }, { "category": "external", "summary": "Reference - cveprojectv5; nvd", "url": "https://git.kernel.org/stable/c/6dc11e0bd0a5466bcc76d275c09e5537bd0597dd" }, { "category": "external", "summary": "Reference - cveprojectv5; nvd", "url": "https://git.kernel.org/stable/c/84a8335d8300576f1b377ae24abca1d9f197807f" }, { "category": "external", "summary": "Reference - cveprojectv5; nvd", "url": "https://git.kernel.org/stable/c/9f557c7eae127b44d2e863917dc986a4b6cb1269" }, { "category": "external", "summary": "Reference - cveprojectv5; nvd", "url": "https://git.kernel.org/stable/c/fd8037e1f18ca5336934d0e0e7e1a4fe097e749d" }, { "category": "external", "summary": "Reference - redhat", "url": "https://www.cve.org/CVERecord?id=CVE-2026-23414" }, { "category": "external", "summary": "Reference - redhat", "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-23414" }, { "category": "external", "summary": "Reference - redhat", "url": "https://lore.kernel.org/linux-cve-announce/2026040203-CVE-2026-23414-d0e3@gregkh/T" } ], "scores": [ { "cvss_v3": { "version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.0, "baseSeverity": "HIGH" }, "products": [ "CSAFPID-1439319", "CSAFPID-1453381", "CSAFPID-1453382", "CSAFPID-2036024", "CSAFPID-2858634", "CSAFPID-2858635", "CSAFPID-5271420", "CSAFPID-5984712", "CSAFPID-5984713", "CSAFPID-5984714", "CSAFPID-5984715", "CSAFPID-5984716", "CSAFPID-5984717", "CSAFPID-5984718" ] } ], "title": "CVE-2026-23414" } ] }