A severe vulnerability in the Linux kernel's TLS (Transport Layer Security) subsystem could allow attackers to corrupt memory and potentially gain full system control, affecting countless servers and devices running kernel versions prior to 6.12.49.
The flaw (CVE-2025-39946), discovered through Google's kernelCTF security competition, stems from improper error handling when parsing malformed TLS headers in the kernel's kTLS implementation—a feature that offloads TLS encryption/decryption operations to the kernel for improved performance.
Security researcher Faith documented the vulnerability in a detailed technical analysis, revealing how attackers could trigger an out-of-bounds memory access on the kernel's socket buffer structure. "The vulnerability occurs because only one of three code paths properly handles errors when parsing invalid TLS headers," the researcher explained. "This allows attackers to repeatedly corrupt memory state without triggering protective aborts."
The attack works by exploiting the kernel's TLS parser copy mode mechanism. By carefully crafting network traffic—sending incomplete headers followed by large garbage payloads while manipulating socket buffer sizes—an attacker can force the parser into an inconsistent state. This causes the kernel to incorrectly track memory fragment locations, eventually writing data to unallocated or attacker-controlled memory regions.
More critically, researchers demonstrated that this primitive enables pagetable overwrites, a powerful exploitation technique that can lead to arbitrary code execution with kernel privileges. "This effectively overwrites pagetable entries with arbitrary data," Faith noted, confirming a successful full exploit against vulnerable kernel versions.
The vulnerability affects systems using kernel TLS acceleration, particularly those running network services with high connection volumes. Administrators should immediately update to Linux kernel version 6.12.49 or later, which includes patches relocating critical error handling code to prevent the vulnerability.
The flaw highlights the security challenges in kernel networking code, where performance optimizations can introduce subtle but critical flaws. Organizations unable to patch immediately should consider disabling kernel TLS offload via the CONFIG_TLS configuration option.