CVE-2025-40186

EPSS 0.06%
Veröffentlicht 12.11.2025 21:56:29
Zuletzt bearbeitet 14.11.2025 16:42:30
Quelle 416baaa9-dc9f-4396-8d5f-8c081f
CVE-Watchlists
Login
Unerledigt
Login

In the Linux kernel, the following vulnerability has been resolved:

tcp: Don't call reqsk_fastopen_remove() in tcp_conn_request().

syzbot reported the splat below in tcp_conn_request(). [0]

If a listener is close()d while a TFO socket is being processed in
tcp_conn_request(), inet_csk_reqsk_queue_add() does not set reqsk->sk
and calls inet_child_forget(), which calls tcp_disconnect() for the
TFO socket.

After the cited commit, tcp_disconnect() calls reqsk_fastopen_remove(),
where reqsk_put() is called due to !reqsk->sk.

Then, reqsk_fastopen_remove() in tcp_conn_request() decrements the
last req->rsk_refcnt and frees reqsk, and __reqsk_free() at the
drop_and_free label causes the refcount underflow for the listener
and double-free of the reqsk.

Let's remove reqsk_fastopen_remove() in tcp_conn_request().

Note that other callers make sure tp->fastopen_rsk is not NULL.

[0]:
refcount_t: underflow; use-after-free.
WARNING: CPU: 12 PID: 5563 at lib/refcount.c:28 refcount_warn_saturate (lib/refcount.c:28)
Modules linked in:
CPU: 12 UID: 0 PID: 5563 Comm: syz-executor Not tainted syzkaller #0 PREEMPT(full)
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/12/2025
RIP: 0010:refcount_warn_saturate (lib/refcount.c:28)
Code: ab e8 8e b4 98 ff 0f 0b c3 cc cc cc cc cc 80 3d a4 e4 d6 01 00 75 9c c6 05 9b e4 d6 01 01 48 c7 c7 e8 df fb ab e8 6a b4 98 ff <0f> 0b e9 03 5b 76 00 cc 80 3d 7d e4 d6 01 00 0f 85 74 ff ff ff c6
RSP: 0018:ffffa79fc0304a98 EFLAGS: 00010246
RAX: d83af4db1c6b3900 RBX: ffff9f65c7a69020 RCX: d83af4db1c6b3900
RDX: 0000000000000000 RSI: 00000000ffff7fff RDI: ffffffffac78a280
RBP: 000000009d781b60 R08: 0000000000007fff R09: ffffffffac6ca280
R10: 0000000000017ffd R11: 0000000000000004 R12: ffff9f65c7b4f100
R13: ffff9f65c7d23c00 R14: ffff9f65c7d26000 R15: ffff9f65c7a64ef8
FS:  00007f9f962176c0(0000) GS:ffff9f65fcf00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000200000000180 CR3: 000000000dbbe006 CR4: 0000000000372ef0
Call Trace:
 <IRQ>
 tcp_conn_request (./include/linux/refcount.h:400 ./include/linux/refcount.h:432 ./include/linux/refcount.h:450 ./include/net/sock.h:1965 ./include/net/request_sock.h:131 net/ipv4/tcp_input.c:7301)
 tcp_rcv_state_process (net/ipv4/tcp_input.c:6708)
 tcp_v6_do_rcv (net/ipv6/tcp_ipv6.c:1670)
 tcp_v6_rcv (net/ipv6/tcp_ipv6.c:1906)
 ip6_protocol_deliver_rcu (net/ipv6/ip6_input.c:438)
 ip6_input (net/ipv6/ip6_input.c:500)
 ipv6_rcv (net/ipv6/ip6_input.c:311)
 __netif_receive_skb (net/core/dev.c:6104)
 process_backlog (net/core/dev.c:6456)
 __napi_poll (net/core/dev.c:7506)
 net_rx_action (net/core/dev.c:7569 net/core/dev.c:7696)
 handle_softirqs (kernel/softirq.c:579)
 do_softirq (kernel/softirq.c:480)
 </IRQ>

Betroffene Produkte Warnungen 0 Metriken 1 CWE 0 Referenzen 11

Verknüpft mit AI von unstrukturierten Daten zu bestehenden CPE der NVD

Diese Information steht angemeldeten Benutzern zur Verfügung.

Daten sind bereitgestellt durch das CVE Programm von einer CVE Numbering Authority (CNA) (Unstrukturiert).

HerstellerLinux

≫

Produkt Linux

Default Statusunaffected

Version < e359b742eac1eac75cff4e38ee2e8cea492acd9b

Version 7ec092a91ff351dcde89c23e795b73a328274db6

Status affected

Version < ff6a8883f96a5bc74241ce5b3d431a6dcfa2124d

Version a4378dedd6e07e62f2fccb17d78c9665718763d0

Status affected

Version < eb85ad5f23268d64b037bfb545cbcba3752f90c7

Version 33a4fdf0b4a25f8ce65380c3b0136b407ca57609

Status affected

Version < 643a94b0cf767325e953591c212be2eb826b9d7f

Version 17d699727577814198d744d6afe54735c6b54c99

Status affected

Version < 422c1c173c39bbbae1e0eaaf8aefe40b2596233b

Version dfd06131107e7b699ef1e2a24ed2f7d17c917753

Status affected

Version < c11ace909e873118295e9eb22dc8c58b0b50eb32

Version fa4749c065644af4db496b338452a69a3e5147d9

Status affected

Version < 64dc47a13aa3d9daf7cec29b44dca8e22a6aea15

Version 45c8a6cc2bcd780e634a6ba8e46bffbdf1fc5c01

Status affected

Version < 2e7cbbbe3d61c63606994b7ff73c72537afe2e1c

Version 45c8a6cc2bcd780e634a6ba8e46bffbdf1fc5c01

Status affected

Version ae313d14b45eca7a6bb29cb9bf396d977e7d28fb

Status affected

HerstellerLinux

≫

Produkt Linux

Default Statusaffected

Version 6.17

Status affected

Version < 6.17

Version 0

Status unaffected

Version <= 5.4.*

Version 5.4.301

Status unaffected

Version <= 5.10.*

Version 5.10.246

Status unaffected

Version <= 5.15.*

Version 5.15.195

Status unaffected

Version <= 6.1.*

Version 6.1.157

Status unaffected

Version <= 6.6.*

Version 6.6.113

Status unaffected

Version <= 6.12.*

Version 6.12.54

Status unaffected

Version <= 6.17.*

Version 6.17.4

Status unaffected

Version <= *

Version 6.18

Status unaffected

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.06%	0.193

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String

https://git.kernel.org/stable/c/e359b742eac1eac75cff4e38ee2e8cea492acd9b

https://git.kernel.org/stable/c/ff6a8883f96a5bc74241ce5b3d431a6dcfa2124d

https://git.kernel.org/stable/c/eb85ad5f23268d64b037bfb545cbcba3752f90c7

https://git.kernel.org/stable/c/643a94b0cf767325e953591c212be2eb826b9d7f

https://git.kernel.org/stable/c/422c1c173c39bbbae1e0eaaf8aefe40b2596233b

https://git.kernel.org/stable/c/c11ace909e873118295e9eb22dc8c58b0b50eb32

https://git.kernel.org/stable/c/64dc47a13aa3d9daf7cec29b44dca8e22a6aea15

https://git.kernel.org/stable/c/2e7cbbbe3d61c63606994b7ff73c72537afe2e1c

https://nvd.nist.gov/vuln/detail/CVE-2025-40186

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2025-40186

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2025-40186

EUVD