CVE-2026-5066: TLS Session Cache Out-of-Bounds Write Vulnerability
A vulnerability exists in how network socket connections handle TLS session caching. When applications enable TLS session caching, the system can be tricked into copying address data without properly checking the data size. An attacker with authenticated network access can send crafted address data that overflows a buffer, potentially crashing the system or executing arbitrary code.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 6.3 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
- Weaknesses (CWE)
- CWE-787
- Affected products
- 0 configuration(s)
- Published / Modified
- 2026-06-04 / 2026-06-17
NVD description (verbatim)
A potential out-of-bounds write/read exists in the TLS socket connect path of the network sockets subsystem (subsys/net/lib/sockets/sockets_tls.c). When the TLS session cache is enabled, tls_session_store() and tls_session_restore() memcpy the caller-supplied address into a fixed-size buffer using the caller-controlled addrlen value without validating it against the destination size. struct net_sockaddr is an opaque type, so an application can pass an addrlen larger than sizeof(struct net_sockaddr) (for example 128 bytes into a 24-byte stack buffer), causing the memcpy to read and write past the end of the address memory used by the TLS session cache. This out-of-bounds write can lead to a crash and denial of service, and potentially to arbitrary code execution.
2 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-5066 is an out-of-bounds write/read vulnerability in subsys/net/lib/sockets/sockets_tls.c affecting the TLS session cache mechanism. The vulnerability occurs in tls_session_store() and tls_session_restore() functions where memcpy operations copy caller-supplied socket addresses into a fixed-size buffer using an unchecked, caller-controlled addrlen parameter. Since struct net_sockaddr is opaque, applications can provide an addrlen value exceeding sizeof(struct net_sockaddr)—for instance, 128 bytes into a 24-byte stack buffer—resulting in out-of-bounds memory read and write operations. This memory corruption affects the TLS session cache memory region and adjacent stack data.
Business impact
Exploitation requires authenticated network access and TLS session caching to be enabled, reducing the immediate attack surface. However, when conditions are met, the vulnerability enables denial of service through crashes and potential remote code execution within the affected process. Systems hosting network services that authenticate clients and cache TLS sessions face elevated risk. The impact scales with service criticality and network exposure.
Affected systems
The vulnerability resides in the network sockets subsystem and specifically targets deployments where TLS session caching is enabled in production configurations. No specific vendor products have been pre-identified in the vulnerability record; identification requires review of affected software that integrates this network sockets library and enables TLS session caching functionality.
Exploitability
Exploitation requires authenticated network access (PR:L in the CVSS vector), meaning an attacker must first establish legitimate credentials or pass local authentication. The attack does not require user interaction. The technical barrier is moderate—an attacker must craft a malicious address structure with an inflated addrlen value and trigger a TLS session cache operation. No known public exploits are documented, and the vulnerability is not tracked in CISA's Known Exploited Vulnerabilities catalog.
Remediation
Vendors should implement strict validation of addrlen against the actual size of struct net_sockaddr before performing memcpy operations in both tls_session_store() and tls_session_restore(). Input validation must occur regardless of whether the application supplies the addrlen value. Organizations should monitor vendor advisories for patched versions and test patches in non-production environments before deployment.
Patch guidance
Consult the software vendor's security advisory for specific patched version numbers and deployment instructions. Patches should address the memcpy bounds-checking issue in the TLS session cache code path. When available, apply patches to systems with TLS session caching enabled. Prioritize systems that accept authenticated network connections and rely on TLS session persistence.
Detection guidance
Monitor system logs and crash reports for unexpected process terminations associated with network socket operations, particularly those handling TLS connections with session caching active. Kernel or application-level memory protection features (stack canaries, Address Sanitizer) may detect out-of-bounds accesses during development testing. Network-based detection is limited; focus detection efforts on host-level anomaly monitoring for crashes or unexpected process behavior following TLS handshakes.
Why prioritize this
CVSS 6.3 (Medium) reflects the requirement for authenticated network access and the dual risk of denial of service and code execution. Prioritize patching for internet-facing services that accept client authentication and maintain TLS session caches. Lower priority for internal-only services or deployments where TLS session caching is disabled.
Risk score, explained
The CVSS 3.1 score of 6.3 (MEDIUM) results from: Network attack vector (AV:N) reflecting remote exploitability, Low complexity (AC:L) as no special conditions are required post-authentication, Low privilege requirement (PR:L) mandating authentication, No user interaction (UI:N), and Unchanged scope (S:U). The confidentiality, integrity, and availability impacts (C:L, I:L, A:L) are each rated Low due to the memory corruption being confined to the TLS session cache region and adjacent stack memory, typically within a single process context.
Frequently asked questions
Does exploitation require special network conditions or can any authenticated user trigger this?
Any authenticated user capable of initiating a TLS connection to an affected service can attempt exploitation. No special network conditions (such as man-in-the-middle positioning) are required. The vulnerability depends on TLS session caching being enabled and the application accepting the malicious address structure.
Can this vulnerability be exploited if TLS session caching is disabled?
No. The vulnerability specifically manifests in tls_session_store() and tls_session_restore() functions, which are only invoked when TLS session caching is enabled. Organizations can mitigate this vulnerability operationally by disabling session caching until patches are applied, though this may impact TLS performance.
What is the relationship between this vulnerability and arbitrary code execution?
Out-of-bounds writes to stack memory can overwrite critical data structures, return addresses, or function pointers. If an attacker can precisely control the overflow content and bypass protections like Address Space Layout Randomization (ASLR), code execution is theoretically possible. However, practical exploitation depends on the target architecture, memory layout, and active mitigations.
Is there a public exploit or proof-of-concept available?
No. This vulnerability is not listed in CISA's Known Exploited Vulnerabilities catalog, and no public exploit code has been identified. Threat actors may develop exploits once patches are released and the technical details become widely understood.
This analysis is based on the vulnerability record current as of publication. No vendor products or patch versions have been pre-identified; verification against official vendor advisories is mandatory before patching decisions. Exploitation risk assessments assume standard security configurations; environments with additional hardening (DEP, ASLR, stack canaries) may have reduced code execution likelihood. This content is for informational purposes only and does not constitute professional security advice for your specific infrastructure. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Weaknesses (CWE)
Related vulnerabilities
- CVE-2025-59614MEDIUMQualcomm Memory Corruption in RNG Command Handling
- CVE-2026-10114MEDIUMOpen5GS Out-of-Bounds Write in NF Profile Parser
- CVE-2026-10999MEDIUMGoogle Chrome ANGLE Integer Overflow Information Disclosure
- CVE-2026-20453MEDIUMMediaTek geniezone Out-of-Bounds Write Privilege Escalation
- CVE-2026-20456MEDIUMMediaTek WLAN Driver Out-of-Bounds Write DoS
- CVE-2026-45684MEDIUMOpenTelemetry eBPF Instrumentation Buffer Over-Read Vulnerability
- CVE-2026-5589MEDIUMZephyr Bluetooth Mesh Integer Underflow and Out-of-Bounds Write
- CVE-2026-8916MEDIUMOut-of-Bounds Write in Samsung rlottie Animation Library