{
  "claim_outcome": "confirmed",
  "variant_outcome": "bypass_confirmed",
  "repro_result": "confirmed",
  "validated_surface": "local_only",
  "evidence_scope": "production_path",
  "claimed_impact_class": "memory_corruption",
  "observed_impact_class": "memory_corruption",
  "exploitability_confidence": "high",
  "attacker_controlled_input": "network-received malformed TLS record (-EBADMSG) to a kTLS TLS1.2 RX session under async crypto backlog congestion (-EBUSY)",
  "trigger_path": "recvmsg -> tls_sw_recvmsg -> tls_rx_one_record -> tls_decrypt_sw -> tls_decrypt_sg -> tls_do_decryption (-EBUSY backlog -> tls_decrypt_async_wait -> tls_decrypt_done frees pages+kfree(aead_req) on cryptd workqueue) -> returns -EBADMSG -> tls_decrypt_sg exit_free_pages/exit_free double-frees -> KASAN slab-use-after-free in tls_decrypt_sg",
  "bypass_of_fix": "32b55c5ff9103b8508c1e04bfa5a08c64e7a925f",
  "missing_fix": "13114dc5543069f7b97991e3b79937b6da05f5b0",
  "tested_target": "Linux v6.6.18 (free_sgout/32b55c5 present; async_done/13114dc absent) + ebusy_force.patch",
  "side_by_side_result": {
    "vuln_32b55c5_reverted_plus_ebusy_KASAN": 1,
    "fixed_no_backlog_KASAN": 0,
    "fixed_plus_ebusy_KASAN": 1,
    "fixed_plus_ebusy_plus_13114dc_KASAN": 0
  },
  "end_to_end_target_reached": true,
  "sanitizer_used": true,
  "crash_observed": true,
  "read_write_primitive_observed": false,
  "exploit_chain_demonstrated": false,
  "blocking_mitigation": null,
  "inferred": false,
  "verdict_explanation": "BYPASS confirmed. The CVE-2024-26582 fix 32b55c5 (free_sgout) only fixes the partial-read async UAF; it does not cover the crypto-backlog (-EBUSY) error path. Four-kernel side-by-side test on v6.6.18: (1) vulnerable tree (32b55c5 reverted) + -EBUSY forcing -> KASAN UAF (variant present on vulnerable); (2) FIXED tree (32b55c5) with NO backlog forcing -> no UAF (32b55c5 holds for the normal async path); (3) FIXED tree + -EBUSY forcing -> KASAN slab-use-after-free in tls_decrypt_sg (BYPASS: 32b55c5 insufficient under backlog congestion; the aead_req/dctx block freed by tls_decrypt_done on the cryptd workqueue is re-freed by exit_free_pages/exit_free); (4) FIXED tree + -EBUSY forcing + adapted 13114dc (async_done) -> no UAF (13114dc is the exact missing fix). KASAN: BUG: KASAN: slab-use-after-free in tls_decrypt_sg, freed by tls_decrypt_done via cryptd_aead_crypt/cryptd_queue_worker."
}
