CVE-2025-38097 (GCVE-0-2025-38097)
Vulnerability from cvelistv5
Published
2025-07-03 08:13
Modified
2025-07-03 08:13
Severity ?
Summary
In the Linux kernel, the following vulnerability has been resolved: espintcp: remove encap socket caching to avoid reference leak The current scheme for caching the encap socket can lead to reference leaks when we try to delete the netns. The reference chain is: xfrm_state -> enacp_sk -> netns Since the encap socket is a userspace socket, it holds a reference on the netns. If we delete the espintcp state (through flush or individual delete) before removing the netns, the reference on the socket is dropped and the netns is correctly deleted. Otherwise, the netns may not be reachable anymore (if all processes within the ns have terminated), so we cannot delete the xfrm state to drop its reference on the socket. This patch results in a small (~2% in my tests) performance regression. A GC-type mechanism could be added for the socket cache, to clear references if the state hasn't been used "recently", but it's a lot more complex than just not caching the socket.
Impacted products
Vendor Product Version
Linux Linux Version: e27cca96cd68fa2c6814c90f9a1cfd36bb68c593
Version: e27cca96cd68fa2c6814c90f9a1cfd36bb68c593
Version: e27cca96cd68fa2c6814c90f9a1cfd36bb68c593
Version: e27cca96cd68fa2c6814c90f9a1cfd36bb68c593
Version: e27cca96cd68fa2c6814c90f9a1cfd36bb68c593
Create a notification for this product.
   Linux Linux Version: 5.6
Create a notification for this product.
Show details on NVD website


{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "include/net/xfrm.h",
            "net/ipv4/esp4.c",
            "net/ipv6/esp6.c",
            "net/xfrm/xfrm_state.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "e4cde54b46a87231c77256a633be1bef62687d69",
              "status": "affected",
              "version": "e27cca96cd68fa2c6814c90f9a1cfd36bb68c593",
              "versionType": "git"
            },
            {
              "lessThan": "b58a295d10065960bcb9d60cb8ca6ead9837cd27",
              "status": "affected",
              "version": "e27cca96cd68fa2c6814c90f9a1cfd36bb68c593",
              "versionType": "git"
            },
            {
              "lessThan": "9cbca30102028f9ad3d2098f935c4368f581fd07",
              "status": "affected",
              "version": "e27cca96cd68fa2c6814c90f9a1cfd36bb68c593",
              "versionType": "git"
            },
            {
              "lessThan": "74fd327767fb784c5875cf7c4ba1217f26020943",
              "status": "affected",
              "version": "e27cca96cd68fa2c6814c90f9a1cfd36bb68c593",
              "versionType": "git"
            },
            {
              "lessThan": "028363685bd0b7a19b4a820f82dd905b1dc83999",
              "status": "affected",
              "version": "e27cca96cd68fa2c6814c90f9a1cfd36bb68c593",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "include/net/xfrm.h",
            "net/ipv4/esp4.c",
            "net/ipv6/esp6.c",
            "net/xfrm/xfrm_state.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.6"
            },
            {
              "lessThan": "5.6",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.141",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.93",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.31",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.14.*",
              "status": "unaffected",
              "version": "6.14.9",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.15",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.141",
                  "versionStartIncluding": "5.6",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.93",
                  "versionStartIncluding": "5.6",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.31",
                  "versionStartIncluding": "5.6",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14.9",
                  "versionStartIncluding": "5.6",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15",
                  "versionStartIncluding": "5.6",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nespintcp: remove encap socket caching to avoid reference leak\n\nThe current scheme for caching the encap socket can lead to reference\nleaks when we try to delete the netns.\n\nThe reference chain is: xfrm_state -\u003e enacp_sk -\u003e netns\n\nSince the encap socket is a userspace socket, it holds a reference on\nthe netns. If we delete the espintcp state (through flush or\nindividual delete) before removing the netns, the reference on the\nsocket is dropped and the netns is correctly deleted. Otherwise, the\nnetns may not be reachable anymore (if all processes within the ns\nhave terminated), so we cannot delete the xfrm state to drop its\nreference on the socket.\n\nThis patch results in a small (~2% in my tests) performance\nregression.\n\nA GC-type mechanism could be added for the socket cache, to clear\nreferences if the state hasn\u0027t been used \"recently\", but it\u0027s a lot\nmore complex than just not caching the socket."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-07-03T08:13:57.694Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/e4cde54b46a87231c77256a633be1bef62687d69"
        },
        {
          "url": "https://git.kernel.org/stable/c/b58a295d10065960bcb9d60cb8ca6ead9837cd27"
        },
        {
          "url": "https://git.kernel.org/stable/c/9cbca30102028f9ad3d2098f935c4368f581fd07"
        },
        {
          "url": "https://git.kernel.org/stable/c/74fd327767fb784c5875cf7c4ba1217f26020943"
        },
        {
          "url": "https://git.kernel.org/stable/c/028363685bd0b7a19b4a820f82dd905b1dc83999"
        }
      ],
      "title": "espintcp: remove encap socket caching to avoid reference leak",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-38097",
    "datePublished": "2025-07-03T08:13:57.694Z",
    "dateReserved": "2025-04-16T04:51:23.985Z",
    "dateUpdated": "2025-07-03T08:13:57.694Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2025-38097\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2025-07-03T09:15:23.030\",\"lastModified\":\"2025-07-03T15:13:53.147\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\nespintcp: remove encap socket caching to avoid reference leak\\n\\nThe current scheme for caching the encap socket can lead to reference\\nleaks when we try to delete the netns.\\n\\nThe reference chain is: xfrm_state -\u003e enacp_sk -\u003e netns\\n\\nSince the encap socket is a userspace socket, it holds a reference on\\nthe netns. If we delete the espintcp state (through flush or\\nindividual delete) before removing the netns, the reference on the\\nsocket is dropped and the netns is correctly deleted. Otherwise, the\\nnetns may not be reachable anymore (if all processes within the ns\\nhave terminated), so we cannot delete the xfrm state to drop its\\nreference on the socket.\\n\\nThis patch results in a small (~2% in my tests) performance\\nregression.\\n\\nA GC-type mechanism could be added for the socket cache, to clear\\nreferences if the state hasn\u0027t been used \\\"recently\\\", but it\u0027s a lot\\nmore complex than just not caching the socket.\"}],\"metrics\":{},\"references\":[{\"url\":\"https://git.kernel.org/stable/c/028363685bd0b7a19b4a820f82dd905b1dc83999\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/74fd327767fb784c5875cf7c4ba1217f26020943\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/9cbca30102028f9ad3d2098f935c4368f581fd07\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/b58a295d10065960bcb9d60cb8ca6ead9837cd27\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/e4cde54b46a87231c77256a633be1bef62687d69\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading…

Loading…

Loading…

Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.


Loading…