CVE-2024-35841 in Linux
Summary
by MITRE • 05/17/2024
In the Linux kernel, the following vulnerability has been resolved:
net: tls, fix WARNIING in __sk_msg_free
A splice with MSG_SPLICE_PAGES will cause tls code to use the tls_sw_sendmsg_splice path in the TLS sendmsg code to move the user provided pages from the msg into the msg_pl. This will loop over the msg until msg_pl is full, checked by sk_msg_full(msg_pl). The user can also set the MORE flag to hint stack to delay sending until receiving more pages and ideally a full buffer.
If the user adds more pages to the msg than can fit in the msg_pl scatterlist (MAX_MSG_FRAGS) we should ignore the MORE flag and send the buffer anyways.
What actually happens though is we abort the msg to msg_pl scatterlist setup and then because we forget to set 'full record' indicating we can no longer consume data without a send we fallthrough to the 'continue' path which will check if msg_data_left(msg) has more bytes to send and then attempts to fit them in the already full msg_pl. Then next iteration of sender doing send will encounter a full msg_pl and throw the warning in the syzbot report.
To fix simply check if we have a full_record in splice code path and if not send the msg regardless of MORE flag.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 09/26/2025
The vulnerability CVE-2024-35841 affects the Linux kernel's Transport Layer Security implementation, specifically within the TLS subsystem's sendmsg functionality. This issue manifests in the net/tls/ directory where the kernel handles TLS communication over network sockets. The problem occurs when processing splice operations with the MSG_SPLICE_PAGES flag, which allows efficient data movement between file descriptors without copying data to user space. The vulnerability stems from improper handling of scatterlist buffer management during TLS message transmission, creating a condition where the kernel's internal state becomes inconsistent.
The technical flaw exists in the tls_sw_sendmsg_splice code path where the system attempts to transfer user-provided pages from the message structure to a scatterlist buffer called msg_pl. The kernel maintains a maximum limit of MAX_MSG_FRAGS fragments in this buffer to prevent excessive memory allocation. When a user application provides more pages than can fit in this limited scatterlist, the system should abandon the MORE flag hint and proceed with sending the available data. However, the current implementation fails to properly handle this edge case, leading to a state where the system incorrectly assumes it can continue consuming data without sending.
This improper state management creates a dangerous condition where the kernel's internal buffer tracking becomes corrupted. The system enters a loop where it attempts to process data that cannot fit in the available scatterlist space, causing the kernel to fall through to a continue path that checks for remaining data but attempts to fit it into a buffer that is already full. This results in the warning message observed in the syzbot report, indicating a fundamental breakdown in the TLS sendmsg state machine. The issue is classified as a CWE-129 vulnerability related to improper validation of array indices, and it can be mapped to ATT&CK technique T1059.001 for command and scripting interpreter execution through kernel-level manipulation.
The operational impact of this vulnerability can be significant for systems running TLS-enabled applications that utilize splice operations with large data transfers. An attacker could potentially exploit this condition to cause kernel panics, system instability, or denial of service scenarios by carefully crafting splice operations that trigger the problematic code path. The vulnerability affects any Linux system with TLS support and active network communication using splice operations, particularly impacting high-performance networking applications that rely on efficient data movement between file descriptors. The fix involves implementing a proper check for full_record state in the splice code path, ensuring that when the scatterlist buffer becomes full, the system sends the accumulated data regardless of the MORE flag setting, preventing the state inconsistency that leads to the warning condition.