{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2025-21864", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2024-12-29T08:45:45.780Z", "datePublished": "2025-03-12T09:42:21.223Z", "dateUpdated": "2025-03-24T15:41:35.191Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2025-03-24T15:41:35.191Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ntcp: drop secpath at the same time as we currently drop dst\n\nXiumei reported hitting the WARN in xfrm6_tunnel_net_exit while\nrunning tests that boil down to:\n - create a pair of netns\n - run a basic TCP test over ipcomp6\n - delete the pair of netns\n\nThe xfrm_state found on spi_byaddr was not deleted at the time we\ndelete the netns, because we still have a reference on it. This\nlingering reference comes from a secpath (which holds a ref on the\nxfrm_state), which is still attached to an skb. This skb is not\nleaked, it ends up on sk_receive_queue and then gets defer-free'd by\nskb_attempt_defer_free.\n\nThe problem happens when we defer freeing an skb (push it on one CPU's\ndefer_list), and don't flush that list before the netns is deleted. In\nthat case, we still have a reference on the xfrm_state that we don't\nexpect at this point.\n\nWe already drop the skb's dst in the TCP receive path when it's no\nlonger needed, so let's also drop the secpath. At this point,\ntcp_filter has already called into the LSM hooks that may require the\nsecpath, so it should not be needed anymore. However, in some of those\nplaces, the MPTCP extension has just been attached to the skb, so we\ncannot simply drop all extensions."}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["include/net/tcp.h", "net/ipv4/tcp_fastopen.c", "net/ipv4/tcp_input.c", "net/ipv4/tcp_ipv4.c"], "versions": [{"version": "68822bdf76f10c3dc80609d4e2cdc1e847429086", "lessThan": "87858bbf21da239ace300d61dd209907995c0491", "status": "affected", "versionType": "git"}, {"version": "68822bdf76f10c3dc80609d4e2cdc1e847429086", "lessThan": "f1d5e6a5e468308af7759cf5276779d3155c5e98", "status": "affected", "versionType": "git"}, {"version": "68822bdf76f10c3dc80609d4e2cdc1e847429086", "lessThan": "cd34a07f744451e2ecf9005bb7d24d0b2fb83656", "status": "affected", "versionType": "git"}, {"version": "68822bdf76f10c3dc80609d4e2cdc1e847429086", "lessThan": "69cafd9413084cd5012cf5d7c7ec6f3d493726d9", "status": "affected", "versionType": "git"}, {"version": "68822bdf76f10c3dc80609d4e2cdc1e847429086", "lessThan": "9b6412e6979f6f9e0632075f8f008937b5cd4efd", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["include/net/tcp.h", "net/ipv4/tcp_fastopen.c", "net/ipv4/tcp_input.c", "net/ipv4/tcp_ipv4.c"], "versions": [{"version": "5.19", "status": "affected"}, {"version": "0", "lessThan": "5.19", "status": "unaffected", "versionType": "semver"}, {"version": "6.1.130", "lessThanOrEqual": "6.1.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.6.80", "lessThanOrEqual": "6.6.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.12.17", "lessThanOrEqual": "6.12.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.13.5", "lessThanOrEqual": "6.13.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.14", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "references": [{"url": "https://git.kernel.org/stable/c/87858bbf21da239ace300d61dd209907995c0491"}, {"url": "https://git.kernel.org/stable/c/f1d5e6a5e468308af7759cf5276779d3155c5e98"}, {"url": "https://git.kernel.org/stable/c/cd34a07f744451e2ecf9005bb7d24d0b2fb83656"}, {"url": "https://git.kernel.org/stable/c/69cafd9413084cd5012cf5d7c7ec6f3d493726d9"}, {"url": "https://git.kernel.org/stable/c/9b6412e6979f6f9e0632075f8f008937b5cd4efd"}], "title": "tcp: drop secpath at the same time as we currently drop dst", "x_generator": {"engine": "bippy-5f407fcff5a0"}}}}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "5B2819D9-E557-41EC-A77B-F5A5992BBC20", "versionEndExcluding": "6.1.130", "versionStartIncluding": "5.19", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "A93F3655-6FAF-43B0-8541-A212998F05B8", "versionEndExcluding": "6.6.80", "versionStartIncluding": "6.2", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "15370AEE-6D1C-49C3-8CB7-E889D5F92B6F", "versionEndExcluding": "6.12.17", "versionStartIncluding": "6.7", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "72E69ABB-9015-43A6-87E1-5150383CFFD9", "versionEndExcluding": "6.13.5", "versionStartIncluding": "6.13", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.14:rc1:*:*:*:*:*:*", "matchCriteriaId": "186716B6-2B66-4BD0-852E-D48E71C0C85F", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.14:rc2:*:*:*:*:*:*", "matchCriteriaId": "0D3E781C-403A-498F-9DA9-ECEE50F41E75", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.14:rc3:*:*:*:*:*:*", "matchCriteriaId": "66619FB8-0AAF-4166-B2CF-67B24143261D", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ntcp: drop secpath at the same time as we currently drop dst\n\nXiumei reported hitting the WARN in xfrm6_tunnel_net_exit while\nrunning tests that boil down to:\n - create a pair of netns\n - run a basic TCP test over ipcomp6\n - delete the pair of netns\n\nThe xfrm_state found on spi_byaddr was not deleted at the time we\ndelete the netns, because we still have a reference on it. This\nlingering reference comes from a secpath (which holds a ref on the\nxfrm_state), which is still attached to an skb. This skb is not\nleaked, it ends up on sk_receive_queue and then gets defer-free'd by\nskb_attempt_defer_free.\n\nThe problem happens when we defer freeing an skb (push it on one CPU's\ndefer_list), and don't flush that list before the netns is deleted. In\nthat case, we still have a reference on the xfrm_state that we don't\nexpect at this point.\n\nWe already drop the skb's dst in the TCP receive path when it's no\nlonger needed, so let's also drop the secpath. At this point,\ntcp_filter has already called into the LSM hooks that may require the\nsecpath, so it should not be needed anymore. However, in some of those\nplaces, the MPTCP extension has just been attached to the skb, so we\ncannot simply drop all extensions."}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: tcp: descartar secpath al mismo tiempo que descartamos dst Xiumei inform\u00f3 haber alcanzado el WARN en xfrm6_tunnel_net_exit mientras ejecutaba pruebas que se reducen a: - crear un par de netns - ejecutar una prueba TCP b\u00e1sica sobre ipcomp6 - eliminar el par de netns El xfrm_state encontrado en spi_byaddr no se elimin\u00f3 en el momento en que eliminamos los netns, porque a\u00fan tenemos una referencia en \u00e9l. Esta referencia persistente proviene de un secpath (que contiene una referencia en xfrm_state), que a\u00fan est\u00e1 adjunto a un skb. Este skb no se filtra, termina en sk_receive_queue y luego se libera mediante skb_attempt_defer_free. El problema ocurre cuando posponemos la liberaci\u00f3n de un skb (insertarlo en la lista defer_list de una CPU) y no limpiamos esa lista antes de eliminar netns. En ese caso, a\u00fan tenemos una referencia en xfrm_state inesperada en este momento. Ya eliminamos el dst del skb en la ruta de recepci\u00f3n TCP cuando ya no es necesario, as\u00ed que tambi\u00e9n eliminamos el secpath. En este punto, tcp_filter ya ha llamado a los ganchos LSM que podr\u00edan requerir el secpath, por lo que ya no deber\u00eda ser necesario. Sin embargo, en algunos de esos lugares, la extensi\u00f3n MPTCP se acaba de adjuntar al skb, por lo que no podemos simplemente eliminar todas las extensiones."}], "id": "CVE-2025-21864", "lastModified": "2025-03-13T21:13:34.190", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2025-03-12T10:15:19.520", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/69cafd9413084cd5012cf5d7c7ec6f3d493726d9"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/87858bbf21da239ace300d61dd209907995c0491"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/9b6412e6979f6f9e0632075f8f008937b5cd4efd"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/cd34a07f744451e2ecf9005bb7d24d0b2fb83656"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/f1d5e6a5e468308af7759cf5276779d3155c5e98"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-476"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"bugzilla": {"description": "kernel: tcp: drop secpath at the same time as we currently drop dst", "id": "2351618", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2351618"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.1", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "draft"}, "cwe": "CWE-476", "details": ["In the Linux kernel, the following vulnerability has been resolved:\ntcp: drop secpath at the same time as we currently drop dst\nXiumei reported hitting the WARN in xfrm6_tunnel_net_exit while\nrunning tests that boil down to:\n- create a pair of netns\n- run a basic TCP test over ipcomp6\n- delete the pair of netns\nThe xfrm_state found on spi_byaddr was not deleted at the time we\ndelete the netns, because we still have a reference on it. This\nlingering reference comes from a secpath (which holds a ref on the\nxfrm_state), which is still attached to an skb. This skb is not\nleaked, it ends up on sk_receive_queue and then gets defer-free'd by\nskb_attempt_defer_free.\nThe problem happens when we defer freeing an skb (push it on one CPU's\ndefer_list), and don't flush that list before the netns is deleted. In\nthat case, we still have a reference on the xfrm_state that we don't\nexpect at this point.\nWe already drop the skb's dst in the TCP receive path when it's no\nlonger needed, so let's also drop the secpath. At this point,\ntcp_filter has already called into the LSM hooks that may require the\nsecpath, so it should not be needed anymore. However, in some of those\nplaces, the MPTCP extension has just been attached to the skb, so we\ncannot simply drop all extensions."], "name": "CVE-2025-21864", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Out of support scope", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Out of support scope", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Out of support scope", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2025-03-12T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2025-21864\nhttps://nvd.nist.gov/vuln/detail/CVE-2025-21864\nhttps://lore.kernel.org/linux-cve-announce/2025031218-CVE-2025-21864-9a8a@gregkh/T"], "threat_severity": "Moderate"}