CVE-2024-26585: 
Linux Kernel vulnerability analysis and mitigation

CVE-2024-26585 is a race condition vulnerability discovered in the TLS subsystem of the Linux kernel. The vulnerability was disclosed on February 21, 2024, affecting Linux kernel versions from 4.20.0 up to (excluding) 6.6.18 and versions from 6.7.0 up to (excluding) 6.7.6. The issue occurs when there is a race between tx work scheduling and socket close operations (NVD).

The vulnerability stems from a race condition where the submitting thread (recvmsg/sendmsg) may exit as soon as the async crypto handler calls complete(). The issue was related to the ordering of operations in the TLS subsystem, specifically in the tx work scheduling process. The vulnerability has been assigned a CVSS v3.1 Base Score of 4.7 (Medium) with the vector string CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H (NVD).

The vulnerability could potentially lead to system availability issues due to improper synchronization between tx work scheduling and socket close operations. The CVSS scoring indicates that while the vulnerability requires local access and is complex to exploit, it could result in high impact on system availability (NVD).

The vulnerability has been fixed by reordering the scheduling of work before calling complete(), which is considered more logical as it follows the inverse order of what the submitting thread does. The fix has been implemented in various Linux kernel versions through patches. Multiple distributions have released updates to address this vulnerability, including Ubuntu and Debian (Kernel Patch).