Cyber Resilience

CVE-2026-23414

High

Published: 02 April 2026

Published
02 April 2026
Modified
27 April 2026
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS Score 0.0005 16.8th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-23414 is a high-severity Missing Release of Memory after Effective Lifetime (CWE-401) vulnerability in Linux Linux Kernel. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique OS Exhaustion Flood (T1499.001); ranked at the 16.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and SC-5 (Denial-of-service Protection).

Deeper analysis

CVE-2026-23414 is a memory leak vulnerability in the Linux kernel's TLS implementation, specifically affecting the software-based TLS decryption path. The issue arises in tls_decrypt_async_wait(), where the async_hold queue retains references to encrypted input socket kernel buffers (SKBs) during asynchronous AEAD operations. After decryption completes, these SKBs are not unconditionally freed due to improper purging of the queue, particularly in failure scenarios like partial failures in tls_strp_msg_hold() or when falling back from async to synchronous mode. This affects kernel versions prior to the application of the referenced stable patches.

Remote attackers can exploit this vulnerability over the network with low complexity and no privileges required. By triggering TLS decryption paths, such as through recvmsg or read_sock operations in fully-async or partial-async modes, an attacker can cause repeated memory leaks as cloned SKBs accumulate in the async_hold queue without being released. This leads to a high-impact denial of service via memory exhaustion, as indicated by the CVSS v3.1 score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) and CWE-401 classification.

Mitigation requires updating to a patched Linux kernel version by applying the stable commits referenced in the advisory, including 2dcf324855c34e7f934ce978aa19b645a8f3ee71, 6dc11e0bd0a5466bcc76d275c09e5537bd0597dd, 84a8335d8300576f1b377ae24abca1d9f197807f, 9f557c7eae127b44d2e863917dc986a4b6cb1269, and ac435be7c7613eb13a5a8ceb5182e10b50c9ce87. These patches centralize the __skb_queue_purge(&ctx->async_hold) call in tls_decrypt_async_wait() to ensure all callers, including new batch async paths, properly drain pending operations and release held SKBs.

EU & UK References

Vulnerability details

In the Linux kernel, the following vulnerability has been resolved: tls: Purge async_hold in tls_decrypt_async_wait() The async_hold queue pins encrypted input skbs while the AEAD engine references their scatterlist data. Once tls_decrypt_async_wait() returns, every AEAD operation has completed and the…

more

engine no longer references those skbs, so they can be freed unconditionally. A subsequent patch adds batch async decryption to tls_sw_read_sock(), introducing a new call site that must drain pending AEAD operations and release held skbs. Move __skb_queue_purge(&ctx->async_hold) into tls_decrypt_async_wait() so the purge is centralized and every caller -- recvmsg's drain path, the -EBUSY fallback in tls_do_decryption(), and the new read_sock batch path -- releases held skbs on synchronization without each site managing the purge independently. This fixes a leak when tls_strp_msg_hold() fails part-way through, after having added some cloned skbs to the async_hold queue. tls_decrypt_sg() will then call tls_decrypt_async_wait() to process all pending decrypts, and drop back to synchronous mode, but tls_sw_recvmsg() only flushes the async_hold queue when one record has been processed in "fully-async" mode, which may not be the case here. [pabeni@redhat.com: added leak comment]

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1499.001 OS Exhaustion Flood Impact
Adversaries may launch a denial of service (DoS) attack targeting an endpoint's operating system (OS).
Why these techniques?

Memory leak in kernel TLS path directly enables remote triggering of repeated SKB accumulation, resulting in OS memory exhaustion DoS (T1499.001).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-23350Same product: Linux Linux Kernel
CVE-2026-23444Same product: Linux Linux Kernel
CVE-2026-31640Same product: Linux Linux Kernel
CVE-2026-23095Same product: Linux Linux Kernel
CVE-2026-23453Same product: Linux Linux Kernel
CVE-2026-23172Same product: Linux Linux Kernel
CVE-2026-31711Same product: Linux Linux Kernel
CVE-2024-56775Same product: Linux Linux Kernel
CVE-2025-71152Same product: Linux Linux Kernel
CVE-2026-31558Same product: Linux Linux Kernel

Affected Assets

linux
linux kernel
6.18, 7.0 · 6.1.158 — 6.1.168 · 6.6.114 — 6.6.131 · 6.12.55 — 6.12.80

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Mandates timely identification, reporting, and remediation of software flaws like the improper SKB purging in the kernel TLS async_hold queue to prevent memory exhaustion DoS.

preventdetect

Provides architectural and traffic analysis protections against network-based DoS attacks exploiting the TLS decryption memory leak with low-complexity remote triggers.

preventdetectrespond

Ensures resource allocation, monitoring, and management to safeguard against memory exhaustion caused by accumulated leaked SKBs in the async TLS decryption path.

References