fkie_cve-2025-21884
Vulnerability from fkie_nvd
Published
2025-03-27 15:15
Modified
2025-10-29 16:49
Severity ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
net: better track kernel sockets lifetime
While kernel sockets are dismantled during pernet_operations->exit(),
their freeing can be delayed by any tx packets still held in qdisc
or device queues, due to skb_set_owner_w() prior calls.
This then trigger the following warning from ref_tracker_dir_exit() [1]
To fix this, make sure that kernel sockets own a reference on net->passive.
Add sk_net_refcnt_upgrade() helper, used whenever a kernel socket
is converted to a refcounted one.
[1]
[ 136.263918][ T35] ref_tracker: net notrefcnt@ffff8880638f01e0 has 1/2 users at
[ 136.263918][ T35] sk_alloc+0x2b3/0x370
[ 136.263918][ T35] inet6_create+0x6ce/0x10f0
[ 136.263918][ T35] __sock_create+0x4c0/0xa30
[ 136.263918][ T35] inet_ctl_sock_create+0xc2/0x250
[ 136.263918][ T35] igmp6_net_init+0x39/0x390
[ 136.263918][ T35] ops_init+0x31e/0x590
[ 136.263918][ T35] setup_net+0x287/0x9e0
[ 136.263918][ T35] copy_net_ns+0x33f/0x570
[ 136.263918][ T35] create_new_namespaces+0x425/0x7b0
[ 136.263918][ T35] unshare_nsproxy_namespaces+0x124/0x180
[ 136.263918][ T35] ksys_unshare+0x57d/0xa70
[ 136.263918][ T35] __x64_sys_unshare+0x38/0x40
[ 136.263918][ T35] do_syscall_64+0xf3/0x230
[ 136.263918][ T35] entry_SYSCALL_64_after_hwframe+0x77/0x7f
[ 136.263918][ T35]
[ 136.343488][ T35] ref_tracker: net notrefcnt@ffff8880638f01e0 has 1/2 users at
[ 136.343488][ T35] sk_alloc+0x2b3/0x370
[ 136.343488][ T35] inet6_create+0x6ce/0x10f0
[ 136.343488][ T35] __sock_create+0x4c0/0xa30
[ 136.343488][ T35] inet_ctl_sock_create+0xc2/0x250
[ 136.343488][ T35] ndisc_net_init+0xa7/0x2b0
[ 136.343488][ T35] ops_init+0x31e/0x590
[ 136.343488][ T35] setup_net+0x287/0x9e0
[ 136.343488][ T35] copy_net_ns+0x33f/0x570
[ 136.343488][ T35] create_new_namespaces+0x425/0x7b0
[ 136.343488][ T35] unshare_nsproxy_namespaces+0x124/0x180
[ 136.343488][ T35] ksys_unshare+0x57d/0xa70
[ 136.343488][ T35] __x64_sys_unshare+0x38/0x40
[ 136.343488][ T35] do_syscall_64+0xf3/0x230
[ 136.343488][ T35] entry_SYSCALL_64_after_hwframe+0x77/0x7f
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| linux | linux_kernel | * | |
| linux | linux_kernel | * | |
| linux | linux_kernel | * | |
| linux | linux_kernel | 6.14 | |
| linux | linux_kernel | 6.14 | |
| linux | linux_kernel | 6.14 | |
| linux | linux_kernel | 6.14 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"matchCriteriaId": "F2293654-7169-49B5-8D0D-EE51EF8B8E48",
"versionEndExcluding": "6.6.103",
"versionStartIncluding": "6.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"matchCriteriaId": "472C5F87-2BF3-4FAB-9B21-DA7513977363",
"versionEndExcluding": "6.12.43",
"versionStartIncluding": "6.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"matchCriteriaId": "64F12D9B-71C2-4CD7-A288-0D5EF1709620",
"versionEndExcluding": "6.13.6",
"versionStartIncluding": "6.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:6.14:rc1:*:*:*:*:*:*",
"matchCriteriaId": "186716B6-2B66-4BD0-852E-D48E71C0C85F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:6.14:rc2:*:*:*:*:*:*",
"matchCriteriaId": "0D3E781C-403A-498F-9DA9-ECEE50F41E75",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:6.14:rc3:*:*:*:*:*:*",
"matchCriteriaId": "66619FB8-0AAF-4166-B2CF-67B24143261D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:6.14:rc4:*:*:*:*:*:*",
"matchCriteriaId": "D3D6550E-6679-4560-902D-AF52DCFE905B",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: better track kernel sockets lifetime\n\nWhile kernel sockets are dismantled during pernet_operations-\u003eexit(),\ntheir freeing can be delayed by any tx packets still held in qdisc\nor device queues, due to skb_set_owner_w() prior calls.\n\nThis then trigger the following warning from ref_tracker_dir_exit() [1]\n\nTo fix this, make sure that kernel sockets own a reference on net-\u003epassive.\n\nAdd sk_net_refcnt_upgrade() helper, used whenever a kernel socket\nis converted to a refcounted one.\n\n[1]\n\n[ 136.263918][ T35] ref_tracker: net notrefcnt@ffff8880638f01e0 has 1/2 users at\n[ 136.263918][ T35] sk_alloc+0x2b3/0x370\n[ 136.263918][ T35] inet6_create+0x6ce/0x10f0\n[ 136.263918][ T35] __sock_create+0x4c0/0xa30\n[ 136.263918][ T35] inet_ctl_sock_create+0xc2/0x250\n[ 136.263918][ T35] igmp6_net_init+0x39/0x390\n[ 136.263918][ T35] ops_init+0x31e/0x590\n[ 136.263918][ T35] setup_net+0x287/0x9e0\n[ 136.263918][ T35] copy_net_ns+0x33f/0x570\n[ 136.263918][ T35] create_new_namespaces+0x425/0x7b0\n[ 136.263918][ T35] unshare_nsproxy_namespaces+0x124/0x180\n[ 136.263918][ T35] ksys_unshare+0x57d/0xa70\n[ 136.263918][ T35] __x64_sys_unshare+0x38/0x40\n[ 136.263918][ T35] do_syscall_64+0xf3/0x230\n[ 136.263918][ T35] entry_SYSCALL_64_after_hwframe+0x77/0x7f\n[ 136.263918][ T35]\n[ 136.343488][ T35] ref_tracker: net notrefcnt@ffff8880638f01e0 has 1/2 users at\n[ 136.343488][ T35] sk_alloc+0x2b3/0x370\n[ 136.343488][ T35] inet6_create+0x6ce/0x10f0\n[ 136.343488][ T35] __sock_create+0x4c0/0xa30\n[ 136.343488][ T35] inet_ctl_sock_create+0xc2/0x250\n[ 136.343488][ T35] ndisc_net_init+0xa7/0x2b0\n[ 136.343488][ T35] ops_init+0x31e/0x590\n[ 136.343488][ T35] setup_net+0x287/0x9e0\n[ 136.343488][ T35] copy_net_ns+0x33f/0x570\n[ 136.343488][ T35] create_new_namespaces+0x425/0x7b0\n[ 136.343488][ T35] unshare_nsproxy_namespaces+0x124/0x180\n[ 136.343488][ T35] ksys_unshare+0x57d/0xa70\n[ 136.343488][ T35] __x64_sys_unshare+0x38/0x40\n[ 136.343488][ T35] do_syscall_64+0xf3/0x230\n[ 136.343488][ T35] entry_SYSCALL_64_after_hwframe+0x77/0x7f"
},
{
"lang": "es",
"value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: net: mejorar el seguimiento del ciclo de vida de los sockets del kernel. Mientras los sockets del kernel se desmantelan durante pernet_operations-\u0026gt;exit(), su liberaci\u00f3n puede verse retrasada por cualquier paquete de transmisi\u00f3n que a\u00fan se encuentre en la qdisc o en las colas de dispositivos, debido a llamadas previas a skb_set_owner_w(). Esto genera la siguiente advertencia de ref_tracker_dir_exit() [1]. Para solucionar esto, aseg\u00farese de que los sockets del kernel posean una referencia en net-\u0026gt;passive. Agregue el asistente sk_net_refcnt_upgrade(), que se utiliza siempre que un socket del kernel se convierte a uno con recuento de referencia. [1] [ 136.263918][ T35] ref_tracker: net notrefcnt@ffff8880638f01e0 has 1/2 users at [ 136.263918][ T35] sk_alloc+0x2b3/0x370 [ 136.263918][ T35] inet6_create+0x6ce/0x10f0 [ 136.263918][ T35] __sock_create+0x4c0/0xa30 [ 136.263918][ T35] inet_ctl_sock_create+0xc2/0x250 [ 136.263918][ T35] igmp6_net_init+0x39/0x390 [ 136.263918][ T35] ops_init+0x31e/0x590 [ 136.263918][ T35] setup_net+0x287/0x9e0 [ 136.263918][ T35] copy_net_ns+0x33f/0x570 [ 136.263918][ T35] create_new_namespaces+0x425/0x7b0 [ 136.263918][ T35] unshare_nsproxy_namespaces+0x124/0x180 [ 136.263918][ T35] ksys_unshare+0x57d/0xa70 [ 136.263918][ T35] __x64_sys_unshare+0x38/0x40 [ 136.263918][ T35] do_syscall_64+0xf3/0x230 [ 136.263918][ T35] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 136.263918][ T35] [ 136.343488][ T35] ref_tracker: net notrefcnt@ffff8880638f01e0 has 1/2 users at [ 136.343488][ T35] sk_alloc+0x2b3/0x370 [ 136.343488][ T35] inet6_create+0x6ce/0x10f0 [ 136.343488][ T35] __sock_create+0x4c0/0xa30 [ 136.343488][ T35] inet_ctl_sock_create+0xc2/0x250 [ 136.343488][ T35] ndisc_net_init+0xa7/0x2b0 [ 136.343488][ T35] ops_init+0x31e/0x590 [ 136.343488][ T35] setup_net+0x287/0x9e0 [ 136.343488][ T35] copy_net_ns+0x33f/0x570 [ 136.343488][ T35] create_new_namespaces+0x425/0x7b0 [ 136.343488][ T35] unshare_nsproxy_namespaces+0x124/0x180 [ 136.343488][ T35] ksys_unshare+0x57d/0xa70 [ 136.343488][ T35] __x64_sys_unshare+0x38/0x40 [ 136.343488][ T35] do_syscall_64+0xf3/0x230 [ 136.343488][ T35] entry_SYSCALL_64_after_hwframe+0x77/0x7f"
}
],
"id": "CVE-2025-21884",
"lastModified": "2025-10-29T16:49:15.323",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"exploitabilityScore": 1.8,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2025-03-27T15:15:56.313",
"references": [
{
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"tags": [
"Patch"
],
"url": "https://git.kernel.org/stable/c/2668e038800b946d269f96ec1b258c01930a242c"
},
{
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"tags": [
"Patch"
],
"url": "https://git.kernel.org/stable/c/4ceb0bd4ffd009821b585ce6a8033b12b59fb5fb"
},
{
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"tags": [
"Patch"
],
"url": "https://git.kernel.org/stable/c/5c70eb5c593d64d93b178905da215a9fd288a4b5"
},
{
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"tags": [
"Patch"
],
"url": "https://git.kernel.org/stable/c/c31a732fac46b00b95b78fcc9c37cb48dd6f2e0c"
}
],
"sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-noinfo"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.
Loading…
Loading…