Part of Lyceum Intelligence — deep-research In Focus reports → · Lyceum Corpus — ask the documents →

Full-text search across 381 articles. Typo-tolerant.

Lyceum News Desk ·

CVE-2026-31533 -- CVSS 9.8 Vulnerability Briefing

CVE-2026-31533 | CVSS 9.8 (Critical) | Exploit: No known exploit

What Is It

CVE-2026-31533 is a use-after-free vulnerability in the Linux kernel's TLS subsystem, specifically within the tls_do_encryption() function in the net/tls component.

Technical Detail

The flaw exists in the error handling path of tls_do_encryption() when the function returns -EBUSY. In this code path, introduced by a prior commit, memory is accessed after it has already been freed, creating a use-after-free condition. An attacker who can trigger this error path, potentially through crafted network operations or local socket manipulation, may be able to corrupt kernel memory, leading to privilege escalation or kernel panic. Successful exploitation of a kernel use-after-free of this nature can result in local privilege escalation to root or, depending on the attack surface exposed, denial of service.

Exploitation Status

No known exploit exists for this vulnerability at this time. The exploit maturity is assessed as none, and CISA has not added this CVE to the Known Exploited Vulnerabilities catalog. This does not preclude private development of exploits, particularly given the critical CVSS score of 9.8.

Who Is Targeting This

No specific threat actor attribution at this time. No campaigns or targeted sectors have been associated with this vulnerability. Organizations running Linux kernel deployments with TLS offload or kernel TLS enabled should treat this as a priority patching item regardless of attribution.

What To Do

Apply the upstream Linux kernel patch that resolves the use-after-free in the -EBUSY error path of tls_do_encryption() as soon as it is available in your distribution's stable or security update channel. Administrators who cannot patch immediately should assess whether kernel TLS (KTLS) is in active use and consider disabling it via configuration if operationally feasible. Monitor kernel logs for unexpected memory fault messages or oops traces in the net/tls subsystem as a potential indicator of exploitation attempts. Given the critical severity rating, treat this as a high-priority patch for any Linux system where kernel TLS is enabled or where untrusted users have local access.

In Focus
All analysis →

Deep-research intelligence reports from Lyceum Intelligence — structured assessments with sourced claims and calibrated conclusions.

Browse Intelligence Reports →