{
  "variant_id": "CVE-2024-26582-variant-backlog-decrypt-uaf",
  "created_at": "2026-07-07",
  "variant_summary": "Bypass of the CVE-2024-26582 fix 32b55c5 (free_sgout) on the FIXED Linux v6.6.18 kernel. The async kTLS decrypt use-after-free class is only partially fixed: 32b55c5 corrects the page-free heuristic in tls_decrypt_done() for the normal async (-EINPROGRESS) + partial-read path, but does NOT cover the crypto-backlog (-EBUSY) error path. When an async decrypt is backlogged and a pending async decrypt fails (-EBADMSG from an attacker-controlled malformed record), tls_decrypt_done() already frees the pages + kfree()s the aead_req/dctx block during the backlog wait; tls_decrypt_sg()'s exit_free_pages/exit_free then frees the same memory again => slab-use-after-free/double-free (KASAN-confirmed). Fixed upstream by commit 13114dc (async_done), which is ABSENT in v6.6.18. Reproduced on v6.6.18+32b55c5; closed by adapting 13114dc.",
  "relation": "newer_version_sibling",
  "origin_kind": "pruva_variant",
  "repository": "torvalds/linux",
  "submitted_target": {
    "target_kind": "linux_kernel_source",
    "commit_sha": "32b55c5ff9103b8508c1e04bfa5a08c64e7a925f",
    "version": "6.6.18",
    "ref": "v6.6.18",
    "display": "Linux v6.6.18 with CVE-2024-26582 fix 32b55c5 (free_sgout)"
  },
  "variant_target": {
    "target_kind": "linux_kernel_source",
    "commit_sha": "v6.6.18",
    "version": "6.6.18",
    "ref": "v6.6.18 + ebusy_force.patch (32b55c5 present, 13114dc absent)",
    "display": "Linux v6.6.18 (32b55c5/free_sgout present, 13114dc/async_done absent) + ebusy_force.patch instrumentation"
  },
  "same_root_cause_confidence": "high",
  "same_surface_confidence": "high",
  "claimed_surface": "local_only",
  "validated_surface": "local_only",
  "required_entrypoint_kind": "local_kernel_runtime",
  "required_entrypoint_detail": "kTLS TLS1.2 software RX async decrypt via recvmsg/recv on a socket with an async-capable AEAD, under crypto backlog congestion (-EBUSY) with a failing (-EBADMSG) pending async decrypt (attacker-controlled malformed TLS record)",
  "attacker_controlled_input": "network-received TLS record bytes (malformed/corrupt AEAD tag => -EBADMSG) delivered to a kTLS RX session whose async crypto queue is congested (-EBUSY backlog)",
  "trigger_path": "recv/recvmsg -> tls_sw_recvmsg -> tls_rx_one_record -> tls_decrypt_sw -> tls_decrypt_sg -> tls_do_decryption (crypto_aead_decrypt==-EBUSY -> tls_decrypt_async_wait waits; tls_decrypt_done runs on cryptd workqueue, frees pages if free_sgout AND kfree(aead_req)) -> returns -EBADMSG -> tls_decrypt_sg exit_free_pages (put_page loop, DOUBLE-FREE) -> exit_free kfree(mem) (DOUBLE-FREE/UAF of aead_req||tls_decrypt_ctx)",
  "observed_impact_class": "memory_corruption",
  "exploitability_confidence": "high",
  "evidence_scope": "production_path",
  "runtime_manifest_present": true,
  "end_to_end_target_reached": true,
  "inferred": false,
  "claim_block_reason": null,
  "blocking_mitigation": null,
  "file_path": "net/tls/tls_sw.c",
  "line_start": 283,
  "line_end": 294,
  "secondary_anchors": [
    {
      "file_path": "net/tls/tls_sw.c",
      "line_start": 1606,
      "line_end": 1610
    },
    {
      "file_path": "net/tls/tls_sw.c",
      "line_start": 186,
      "line_end": 240
    },
    {
      "file_path": "net/tls/tls_sw.c",
      "line_start": 1585,
      "line_end": 1585
    }
  ],
  "review_scope_paths": [
    "net/tls/tls_sw.c",
    "net/tls/tls_device.c",
    "crypto/simd.c",
    "crypto/cryptd.c"
  ],
  "artifact_refs": {
    "variant_manifest": "bundle/vuln_variant/variant_manifest.json",
    "validation_verdict": "bundle/vuln_variant/validation_verdict.json",
    "runtime_manifest": "bundle/vuln_variant/runtime_manifest.json",
    "repro_log": "bundle/logs/vuln_variant/reproduction_steps.log",
    "root_cause_equivalence": "bundle/vuln_variant/root_cause_equivalence.json",
    "reproducer": [
      "bundle/vuln_variant/reproduction_steps.sh",
      "bundle/vuln_variant/backlog_variant_test.c",
      "bundle/vuln_variant/ebusy_force.patch",
      "bundle/vuln_variant/apply_fix13114dc.py"
    ]
  }
}
