{
  "parent_cve": "CVE-2024-26582",
  "parent_fix": "32b55c5ff9103b8508c1e04bfa5a08c64e7a925f (net: tls: fix use-after-free with partial reads and async decrypt; free_sgout)",
  "variant_fix": "13114dc5543069f7b97991e3b79937b6da05f5b0 (tls: fix use-after-free on failed backlog decryption; async_done; Fixes: 859054147318)",
  "shared_component": "net/tls/tls_sw.c kTLS software RX async AEAD decrypt",
  "shared_sink": "tls_decrypt_done() (async completion callback) releases destination pages + kfree(aead_req/dctx); tls_decrypt_sg() error path (exit_free_pages/exit_free) also releases them",
  "shared_trust_boundary": "network-received TLS record bytes consumed by a kTLS RX socket; async decrypt enabled for TLS1.2 DATA records with an async-capable AEAD",
  "parent_root_cause": "tls_decrypt_done() used the fragile sgout != sgin pointer heuristic to decide whether to free the AEAD destination pages; because sgout and sgin are always distinct arrays, it freed clear_skb's pages (which it does not own) on async completion, and a later partial read via process_rx_list() accessed the freed pages => UAF.",
  "variant_root_cause": "On the -EBUSY crypto-backlog path, tls_do_decryption() synchronously waits (tls_decrypt_async_wait) for the backlog to drain; during that wait tls_decrypt_done() runs and frees the pages + kfree(aead_req/dctx). If a pending decrypt failed (-EBADMSG), tls_do_decryption() returns -EBADMSG and tls_decrypt_sg() runs its error cleanup (exit_free_pages/exit_free) on the already-freed memory => double-free/UAF. 32b55c5 provides no signal that the callback already ran.",
  "equivalence": "same",
  "same_root_cause_confidence": "high",
  "same_surface_confidence": "high",
  "rationale": "Both are use-after-free/double-free manifestations in the same kTLS async-decrypt RX path and the same memory (aead_req/dctx block + AEAD destination pages), crossing the same trust boundary (attacker-controlled network TLS records). The parent (32b55c5) and the variant (13114dc) are sibling fixes for the async-decrypt UAF class; 32b55c5 fixes the callback's page-free decision (partial-read path), 13114dc fixes the error-path re-free after the callback already ran (backlog path). The variant reproduces on a kernel that has 32b55c5 but lacks 13114dc, i.e. 32b55c5 is necessary but not sufficient.",
  "distinction": "The parent trigger is the normal async (-EINPROGRESS) completion + partial read (process_rx_list accesses freed clear_skb pages). The variant trigger is the -EBUSY backlog wait + a failing pending decrypt, where the double-free is in tls_decrypt_sg's error cleanup (exit_free_pages/exit_free), not in process_rx_list. Different sub-path, same sink/class.",
  "impact_parity": "full",
  "independent_bugs_conflation_check": "Not a conflation: 13114dc's Fixes line points to 859054147318 (the backlog handling), which is the same async-decrypt RX area as 32b55c5; both are grouped under CVE-2024-26582 by the upstream analysis (e.g. https://u1f383.github.io/linux/2025/01/21/linux-kernel-tls-part-2.html sections 4.4 and 4.5). They share the trust boundary and code path; this is a sibling variant of the same CVE, not an unrelated bug."
}
