CVE-2025-37756 in Linuxinfo

Summary

by MITRE • 05/01/2025

In the Linux kernel, the following vulnerability has been resolved:

net: tls: explicitly disallow disconnect

syzbot discovered that it can disconnect a TLS socket and then run into all sort of unexpected corner cases. I have a vague recollection of Eric pointing this out to us a long time ago. Supporting disconnect is really hard, for one thing if offload is enabled we'd need to wait for all packets to be _acked_. Disconnect is not commonly used, disallow it.

The immediate problem syzbot run into is the warning in the strp, but that's just the easiest bug to trigger:

WARNING: CPU: 0 PID: 5834 at net/tls/tls_strp.c:486 tls_strp_msg_load+0x72e/0xa80 net/tls/tls_strp.c:486 RIP: 0010:tls_strp_msg_load+0x72e/0xa80 net/tls/tls_strp.c:486 Call Trace: tls_rx_rec_wait+0x280/0xa60 net/tls/tls_sw.c:1363 tls_sw_recvmsg+0x85c/0x1c30 net/tls/tls_sw.c:2043 inet6_recvmsg+0x2c9/0x730 net/ipv6/af_inet6.c:678 sock_recvmsg_nosec net/socket.c:1023 [inline]
sock_recvmsg+0x109/0x280 net/socket.c:1045 __sys_recvfrom+0x202/0x380 net/socket.c:2237

If you want to get the best quality for vulnerability data then you always have to consider VulDB.

Analysis

by VulDB Data Team • 03/16/2026

The vulnerability CVE-2025-37756 addresses a critical design flaw in the Linux kernel's Transport Layer Security implementation within the networking subsystem. This issue specifically targets the TLS socket handling mechanism where the kernel was inadvertently allowing disconnect operations on TLS sockets, creating a dangerous state that could lead to system instability and potential security implications. The problem was identified through automated fuzzing conducted by syzbot, which revealed that disconnect operations on TLS sockets could trigger numerous unexpected corner cases that had not been properly accounted for in the kernel's TLS implementation. The vulnerability represents a fundamental architectural oversight in how the kernel handles TLS socket lifecycle management, particularly when dealing with hardware offloading scenarios.

The technical root cause of this vulnerability lies in the kernel's TLS subsystem's inability to properly handle disconnect operations when hardware offloading is enabled. When a TLS socket disconnects, the system must ensure that all pending packets are properly acknowledged before proceeding with cleanup operations. However, the current implementation fails to account for this requirement, leading to race conditions and memory corruption scenarios. The specific error manifests in the tls_strp.c file at line 486 within the tls_strp_msg_load function, where a warning is generated indicating that the system has encountered an unexpected state during packet processing. This warning serves as a symptom of deeper underlying issues that occur when disconnect operations are attempted on TLS sockets, particularly those that are actively using hardware offloading capabilities.

The operational impact of this vulnerability extends beyond simple system instability to potentially enable privilege escalation and denial of service attacks. When a disconnect operation is performed on a TLS socket, the kernel's state management becomes inconsistent, particularly in scenarios involving packet reassembly and hardware offloading. The warning message indicates that the system has entered an unexpected state during packet loading operations, which could result in memory corruption, data loss, or complete system crashes. This vulnerability is particularly concerning because TLS sockets are commonly used in secure network communications, making this flaw potentially exploitable by attackers who can establish TLS connections and then attempt to disconnect them maliciously. The complexity of the issue increases when considering that the kernel must properly coordinate between software and hardware components during disconnect operations, creating multiple potential failure points.

The recommended mitigations for this vulnerability involve explicitly disabling disconnect operations on TLS sockets within the kernel's TLS implementation. This approach aligns with industry best practices for maintaining system stability in complex networking scenarios, as demonstrated by similar security measures implemented in other kernel subsystems. The solution fundamentally changes the TLS socket behavior to prevent the problematic disconnect operations entirely, thereby eliminating the race conditions and state management issues that lead to system instability. From an ATT&CK framework perspective, this vulnerability could be categorized under T1059.001 (Command and Scripting Interpreter) and T1499.004 (Encryption Software) as it affects the underlying system's ability to maintain secure communications. The fix should be implemented as a kernel patch that modifies the TLS socket state machine to reject disconnect operations, ensuring that the kernel's TLS implementation maintains consistent state throughout the socket's lifecycle. This approach also aligns with CWE-665 (Improper Initialization) and CWE-835 (Loop with Unreachable Exit Condition) categories, as the vulnerability stems from improper handling of socket state transitions and failure to properly initialize or manage the disconnect operation flow.

Responsible

Linux

Reservation

04/16/2025

Disclosure

05/01/2025

Moderation

accepted

CPE

ready

EPSS

0.00262

KEV

no

Activities

very low

Sources

Might our Artificial Intelligence support you?

Check our Alexa App!