ghsa-jwp5-c35f-qv38
Vulnerability from github
Published
2025-04-01 18:30
Modified
2025-04-01 18:30
Details

In the Linux kernel, the following vulnerability has been resolved:

net: gso: fix ownership in __udp_gso_segment

In __udp_gso_segment the skb destructor is removed before segmenting the skb but the socket reference is kept as-is. This is an issue if the original skb is later orphaned as we can hit the following bug:

kernel BUG at ./include/linux/skbuff.h:3312! (skb_orphan) RIP: 0010:ip_rcv_core+0x8b2/0xca0 Call Trace: ip_rcv+0xab/0x6e0 __netif_receive_skb_one_core+0x168/0x1b0 process_backlog+0x384/0x1100 __napi_poll.constprop.0+0xa1/0x370 net_rx_action+0x925/0xe50

The above can happen following a sequence of events when using OpenVSwitch, when an OVS_ACTION_ATTR_USERSPACE action precedes an OVS_ACTION_ATTR_OUTPUT action:

  1. OVS_ACTION_ATTR_USERSPACE is handled (in do_execute_actions): the skb goes through queue_gso_packets and then __udp_gso_segment, where its destructor is removed.
  2. The segments' data are copied and sent to userspace.
  3. OVS_ACTION_ATTR_OUTPUT is handled (in do_execute_actions) and the same original skb is sent to its path.
  4. If it later hits skb_orphan, we hit the bug.

Fix this by also removing the reference to the socket in __udp_gso_segment.

Show details on source website

To clipboard 

{
  "affected": [],
  "aliases": [
    "CVE-2025-21926"
  ],
  "database_specific": {
    "cwe_ids": [],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-04-01T16:15:23Z",
    "severity": null
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: gso: fix ownership in __udp_gso_segment\n\nIn __udp_gso_segment the skb destructor is removed before segmenting the\nskb but the socket reference is kept as-is. This is an issue if the\noriginal skb is later orphaned as we can hit the following bug:\n\n  kernel BUG at ./include/linux/skbuff.h:3312!  (skb_orphan)\n  RIP: 0010:ip_rcv_core+0x8b2/0xca0\n  Call Trace:\n   ip_rcv+0xab/0x6e0\n   __netif_receive_skb_one_core+0x168/0x1b0\n   process_backlog+0x384/0x1100\n   __napi_poll.constprop.0+0xa1/0x370\n   net_rx_action+0x925/0xe50\n\nThe above can happen following a sequence of events when using\nOpenVSwitch, when an OVS_ACTION_ATTR_USERSPACE action precedes an\nOVS_ACTION_ATTR_OUTPUT action:\n\n1. OVS_ACTION_ATTR_USERSPACE is handled (in do_execute_actions): the skb\n   goes through queue_gso_packets and then __udp_gso_segment, where its\n   destructor is removed.\n2. The segments\u0027 data are copied and sent to userspace.\n3. OVS_ACTION_ATTR_OUTPUT is handled (in do_execute_actions) and the\n   same original skb is sent to its path.\n4. If it later hits skb_orphan, we hit the bug.\n\nFix this by also removing the reference to the socket in\n__udp_gso_segment.",
  "id": "GHSA-jwp5-c35f-qv38",
  "modified": "2025-04-01T18:30:52Z",
  "published": "2025-04-01T18:30:51Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-21926"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/01a83237644d6822bc7df2c5564fc81b0df84358"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/084819b0d8b1bd433b90142371eb9450d657f8ca"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/455217ac9db0cf9349b3933664355e907bb1a569"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/9f28205ddb76e86cac418332e952241d85fed0dc"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/a2d1cca955ed34873e524cc2e6e885450d262f05"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/c32da44cc9298eaa6109e3fc2c2b4e07cc4bf11b"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/e8db70537878e1bb3fd83e5abcc6feefc0587828"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/ee01b2f2d7d0010787c2343463965bbc283a497f"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.