fkie_cve-2025-38273
Vulnerability from fkie_nvd
Published
2025-07-10 08:15
Modified
2025-07-10 13:17
Severity ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
net: tipc: fix refcount warning in tipc_aead_encrypt
syzbot reported a refcount warning [1] caused by calling get_net() on
a network namespace that is being destroyed (refcount=0). This happens
when a TIPC discovery timer fires during network namespace cleanup.
The recently added get_net() call in commit e279024617134 ("net/tipc:
fix slab-use-after-free Read in tipc_aead_encrypt_done") attempts to
hold a reference to the network namespace. However, if the namespace
is already being destroyed, its refcount might be zero, leading to the
use-after-free warning.
Replace get_net() with maybe_get_net(), which safely checks if the
refcount is non-zero before incrementing it. If the namespace is being
destroyed, return -ENODEV early, after releasing the bearer reference.
[1]: https://lore.kernel.org/all/68342b55.a70a0220.253bc2.0091.GAE@google.com/T/#m12019cf9ae77e1954f666914640efa36d52704a2
References
Impacted products
| Vendor | Product | Version |
|---|
{
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: tipc: fix refcount warning in tipc_aead_encrypt\n\nsyzbot reported a refcount warning [1] caused by calling get_net() on\na network namespace that is being destroyed (refcount=0). This happens\nwhen a TIPC discovery timer fires during network namespace cleanup.\n\nThe recently added get_net() call in commit e279024617134 (\"net/tipc:\nfix slab-use-after-free Read in tipc_aead_encrypt_done\") attempts to\nhold a reference to the network namespace. However, if the namespace\nis already being destroyed, its refcount might be zero, leading to the\nuse-after-free warning.\n\nReplace get_net() with maybe_get_net(), which safely checks if the\nrefcount is non-zero before incrementing it. If the namespace is being\ndestroyed, return -ENODEV early, after releasing the bearer reference.\n\n[1]: https://lore.kernel.org/all/68342b55.a70a0220.253bc2.0091.GAE@google.com/T/#m12019cf9ae77e1954f666914640efa36d52704a2"
},
{
"lang": "es",
"value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: net: tipc: correcci\u00f3n de la advertencia de recuento de referencias en tipc_aead_encrypt. syzbot report\u00f3 una advertencia de recuento de referencias [1] causada por la llamada a get_net() en un espacio de nombres de red que se est\u00e1 destruyendo (recuento de referencias = 0). Esto ocurre cuando se activa un temporizador de descubrimiento de TIPC durante la limpieza del espacio de nombres de red. La llamada a get_net(), recientemente a\u00f1adida en el commit e279024617134 (\"net/tipc: correcci\u00f3n de la lectura de slab-use-after-free en tipc_aead_encrypt_done\"), intenta contener una referencia al espacio de nombres de red. Sin embargo, si el espacio de nombres ya se est\u00e1 destruyendo, su recuento de referencias podr\u00eda ser cero, lo que genera la advertencia de use-after-free. Reemplace get_net() por perhaps_get_net(), que comprueba de forma segura si el recuento de referencias es distinto de cero antes de incrementarlo. Si el espacio de nombres se est\u00e1 destruyendo, devuelva -ENODEV antes de tiempo, despu\u00e9s de liberar la referencia del portador. [1]: https://lore.kernel.org/all/68342b55.a70a0220.253bc2.0091.GAE@google.com/T/#m12019cf9ae77e1954f666914640efa36d52704a2"
}
],
"id": "CVE-2025-38273",
"lastModified": "2025-07-10T13:17:30.017",
"metrics": {},
"published": "2025-07-10T08:15:25.530",
"references": [
{
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"url": "https://git.kernel.org/stable/c/307391e8fe70401a6d39ecc9978e13c2c0cdf81f"
},
{
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"url": "https://git.kernel.org/stable/c/445d59025d76d0638b03110f8791d5b89ed5162d"
},
{
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"url": "https://git.kernel.org/stable/c/9ff60e0d9974dccf24e89bcd3ee7933e538d929f"
},
{
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"url": "https://git.kernel.org/stable/c/acab7ca5ff19889b80a8ee7dec220ee1a96dede9"
},
{
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"url": "https://git.kernel.org/stable/c/c762fc79d710d676b793f9d98b1414efe6eb51e6"
},
{
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"url": "https://git.kernel.org/stable/c/e0b11227c4e8eb4bdf1b86aa8f0f3abb24e0f029"
},
{
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"url": "https://git.kernel.org/stable/c/f29ccaa07cf3d35990f4d25028cc55470d29372b"
}
],
"sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"vulnStatus": "Awaiting Analysis"
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.
Loading…
Loading…