oss-sec mailing list archives
Re: Linux kernel TLS ULP use-after-free in tls_sk_proto_close()
From: "Emily Shepherd" <emily () redcoat dev>
Date: Wed, 03 Jun 2026 18:49:23 +0100
On Wed Jun 3, 2026 at 10:16 AM BST, Oleg Sevostyanov wrote:
Thank you for the comments. You are right about the reproducer. I mistakenly included it despite saying that I was not including it. I apologize for the inconsistency.
This reads like AI. Given the original mistake in publicly submitting a PoC when you intended not to, I have to ask: is a human properly checking the contents of the emails you are sending?
I also agree that taking lock_sock(sk) earlier in tls_sk_proto_close() looks like the natural mitigation direction, given that the function takes it unconditionally anyway. I will bring this point to the kernel/networking maintainers when discussing a fix.
Can you clarify if this has been raised on the appropriate kernel mailing lists? I do not see it in your timeline: On Tues Jun 2, 2026 at 20:59 AM BST, Oleg Sevostyanov wrote:
Timeline: 2026-05-16: Reported to linux-distros 2026-05-30: Latest agreed public disclosure date 2026-06-02: Public disclosure to oss-security
Emily
Current thread:
- Linux kernel TLS ULP use-after-free in tls_sk_proto_close() Oleg Sevostyanov (Jun 02)
- Re: Linux kernel TLS ULP use-after-free in tls_sk_proto_close() Jacob Bachmeyer (Jun 02)
- Re: Linux kernel TLS ULP use-after-free in tls_sk_proto_close() Oleg Sevostyanov (Jun 03)
- Re: Linux kernel TLS ULP use-after-free in tls_sk_proto_close() Emily Shepherd (Jun 03)
- Re: Linux kernel TLS ULP use-after-free in tls_sk_proto_close() Jacob Bachmeyer (Jun 03)
- Re: Linux kernel TLS ULP use-after-free in tls_sk_proto_close() Oleg Sevostyanov (Jun 03)
- Re: Linux kernel TLS ULP use-after-free in tls_sk_proto_close() Jacob Bachmeyer (Jun 02)