High

Use-after-free in Linux kernel TLS async decrypt partial read handling

IdentifiersCVE-2024-26582CWE-416· Use After Free

CVE-2024-26582 is a use-after-free vulnerability in the Linux kernel networking/TLS receive path. According to the provided fix description, in net/tls, tls_decrypt_sg does not take a reference on the pages associated with clear_skb. As a result, tls_decrypt_done can call put_page() and release those pages prematurely. If the skb is then processed further during a partial read, process_rx_list may subsequently access data from the partially-read skb after the backing pages have already been freed, resulting in a use-after-free condition. The bug is specifically associated with the interaction between partial reads and asynchronous decryption in the kernel TLS implementation.

For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial

ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation can cause kernel memory safety violations in the TLS receive path, including invalid access to freed pages from skb-backed data. The direct impact is a kernel use-after-free, which can lead to denial of service through kernel crashes or memory corruption. Because this occurs in kernel context, memory corruption may also create a path to more severe outcomes such as privilege escalation or potentially arbitrary code execution in the kernel, although the provided content does not confirm a demonstrated code-execution exploit.

Mitigation

If you can’t patch tonight, do this now.

Until patched kernels can be deployed, reduce exposure by disabling or avoiding kernel TLS receive offload/async decrypt paths where operationally feasible, and limit use of affected kTLS functionality on exposed systems. Systems not using the Linux kernel TLS feature in the affected receive/decrypt path are less exposed. General hardening measures such as restricting untrusted network access to services using kTLS and monitoring for kernel crashes may reduce operational risk, but they do not eliminate the underlying flaw.

Remediation

Patch, then assume compromise.

Apply the upstream Linux kernel fix for CVE-2024-26582 that corrects page lifetime management in the net/tls receive/decryption path, ensuring the relevant pages are properly referenced during asynchronous decrypt handling and partial-read processing. Deploy a kernel version that includes the vendor or distribution backport for this CVE. If you maintain a custom kernel, incorporate the upstream patch addressing the missing page reference in tls_decrypt_sg / clear_skb handling.

PUBLIC EXPLOITS

Exploits

No public exploits tracked yet. Mallory keeps watching.

VALID 0 / 0 TOTALView more in app

No public exploit code observed for this vulnerability.

EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType

LinuxLinux Kerneloperating_system

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

2 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

2 SOURCESView more in app

google security research pull requestsNews

Apr 11, 2026

CVE 2026 23392 cos by NLQuy · Pull Request #363 · google/security-research · GitHub

A specific vulnerability identified as CVE-2024-26582, referenced in the context of kernelCTF, mitigation material, writeups, and proof-of-concept updates.

google security research pull requestsNews

Dec 10, 2025

kernelCTF: add CVE-2024-26582_lts

A specific vulnerability identified as CVE-2024-26582 is referenced in a kernelCTF-related context, but no technical details or impact information are provided in the content.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.

Start free trial

Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware

Malware families riding this exploit, with evidence and IOCs.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES

MITRE CVE

cve.org · CVE-2024-26582

NVD

nvd.nist.gov/vuln/detail/CVE-2024-26582

MITRE CWE · CWE-416

Use After Free

Patch

git.kernel.org/stable/c/20b4ed034872b4d024b26e2bc1092c3f80e5db96

Patch

git.kernel.org/stable/c/32b55c5ff9103b8508c1e04bfa5a08c64e7a925f

Patch

git.kernel.org/stable/c/754c9bab77a1b895b97bd99d754403c505bc79df

Patch

git.kernel.org/stable/c/d684763534b969cca1022e2a28645c7cc91f7fa5

lists.fedoraproject.org

lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/EZOU3745CWCDZ7EMKMXB2OEEIB5Q3IWM