ghsa-jm67-vrwh-5hh6
Vulnerability from github
In the Linux kernel, the following vulnerability has been resolved:
espintcp: remove encap socket caching to avoid reference leak
The current scheme for caching the encap socket can lead to reference leaks when we try to delete the netns.
The reference chain is: xfrm_state -> enacp_sk -> netns
Since the encap socket is a userspace socket, it holds a reference on the netns. If we delete the espintcp state (through flush or individual delete) before removing the netns, the reference on the socket is dropped and the netns is correctly deleted. Otherwise, the netns may not be reachable anymore (if all processes within the ns have terminated), so we cannot delete the xfrm state to drop its reference on the socket.
This patch results in a small (~2% in my tests) performance regression.
A GC-type mechanism could be added for the socket cache, to clear references if the state hasn't been used "recently", but it's a lot more complex than just not caching the socket.
{
"affected": [],
"aliases": [
"CVE-2025-38097"
],
"database_specific": {
"cwe_ids": [],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-07-03T09:15:23Z",
"severity": null
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nespintcp: remove encap socket caching to avoid reference leak\n\nThe current scheme for caching the encap socket can lead to reference\nleaks when we try to delete the netns.\n\nThe reference chain is: xfrm_state -\u003e enacp_sk -\u003e netns\n\nSince the encap socket is a userspace socket, it holds a reference on\nthe netns. If we delete the espintcp state (through flush or\nindividual delete) before removing the netns, the reference on the\nsocket is dropped and the netns is correctly deleted. Otherwise, the\nnetns may not be reachable anymore (if all processes within the ns\nhave terminated), so we cannot delete the xfrm state to drop its\nreference on the socket.\n\nThis patch results in a small (~2% in my tests) performance\nregression.\n\nA GC-type mechanism could be added for the socket cache, to clear\nreferences if the state hasn\u0027t been used \"recently\", but it\u0027s a lot\nmore complex than just not caching the socket.",
"id": "GHSA-jm67-vrwh-5hh6",
"modified": "2025-07-03T09:30:32Z",
"published": "2025-07-03T09:30:32Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-38097"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/028363685bd0b7a19b4a820f82dd905b1dc83999"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/74fd327767fb784c5875cf7c4ba1217f26020943"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/9cbca30102028f9ad3d2098f935c4368f581fd07"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/b58a295d10065960bcb9d60cb8ca6ead9837cd27"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/e4cde54b46a87231c77256a633be1bef62687d69"
}
],
"schema_version": "1.4.0",
"severity": []
}
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.