Vulnerability-Lookup

SUSE-SU-2026:0525-1

Vulnerability from csaf_suse - Published: 2026-02-14 17:04 - Updated: 2026-02-14 17:04

Summary

Security update for the Linux Kernel (Live Patch 73 for SUSE Linux Enterprise 12 SP5)

Notes

Title of the patch

Security update for the Linux Kernel (Live Patch 73 for SUSE Linux Enterprise 12 SP5)

Description of the patch

This update for the SUSE Linux Enterprise kernel 4.12.14-122.275 fixes one security issue The following security issue was fixed: - CVE-2025-40186: tcp: Don't call reqsk_fastopen_remove() in tcp_conn_request() (bsc#1253439). The following non security issue was fixed: - bsc#1250280: don't expose {file,inode}_operations with static lifetimes Fix issue with static lifetime empty_iops/no_open_fops by allocating them on the heap. Make sure previously assigned instances don't become dangling. (bsc#1250280).

Patchnames

SUSE-2026-525,SUSE-SLE-Live-Patching-12-SP5-2026-525

CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "namespace": "https://www.suse.com/support/security/rating/",
      "text": "important"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright 2024 SUSE LLC. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "Security update for the Linux Kernel (Live Patch 73 for SUSE Linux Enterprise 12 SP5)",
        "title": "Title of the patch"
      },
      {
        "category": "description",
        "text": "\nThis update for the SUSE Linux Enterprise kernel 4.12.14-122.275 fixes one security issue\n\nThe following security issue was fixed:\n\n- CVE-2025-40186: tcp: Don\u0027t call reqsk_fastopen_remove() in tcp_conn_request() (bsc#1253439).\n\nThe following non security issue was fixed:\n\n- bsc#1250280: don\u0027t expose {file,inode}_operations with static lifetimes Fix issue with static lifetime empty_iops/no_open_fops by allocating them on the heap. Make sure previously assigned instances don\u0027t become dangling. (bsc#1250280).\n",
        "title": "Description of the patch"
      },
      {
        "category": "details",
        "text": "SUSE-2026-525,SUSE-SLE-Live-Patching-12-SP5-2026-525",
        "title": "Patchnames"
      },
      {
        "category": "legal_disclaimer",
        "text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
        "title": "Terms of use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://www.suse.com/support/security/contact/",
      "name": "SUSE Product Security Team",
      "namespace": "https://www.suse.com/"
    },
    "references": [
      {
        "category": "external",
        "summary": "SUSE ratings",
        "url": "https://www.suse.com/support/security/rating/"
      },
      {
        "category": "self",
        "summary": "URL of this CSAF notice",
        "url": "https://ftp.suse.com/pub/projects/security/csaf/suse-su-2026_0525-1.json"
      },
      {
        "category": "self",
        "summary": "URL for SUSE-SU-2026:0525-1",
        "url": "https://www.suse.com/support/update/announcement/2026/suse-su-20260525-1/"
      },
      {
        "category": "self",
        "summary": "E-Mail link for SUSE-SU-2026:0525-1",
        "url": "https://lists.suse.com/pipermail/sle-security-updates/2026-February/024254.html"
      },
      {
        "category": "self",
        "summary": "SUSE Bug 1250280",
        "url": "https://bugzilla.suse.com/1250280"
      },
      {
        "category": "self",
        "summary": "SUSE Bug 1253439",
        "url": "https://bugzilla.suse.com/1253439"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2025-40186 page",
        "url": "https://www.suse.com/security/cve/CVE-2025-40186/"
      }
    ],
    "title": "Security update for the Linux Kernel (Live Patch 73 for SUSE Linux Enterprise 12 SP5)",
    "tracking": {
      "current_release_date": "2026-02-14T17:04:03Z",
      "generator": {
        "date": "2026-02-14T17:04:03Z",
        "engine": {
          "name": "cve-database.git:bin/generate-csaf.pl",
          "version": "1"
        }
      },
      "id": "SUSE-SU-2026:0525-1",
      "initial_release_date": "2026-02-14T17:04:03Z",
      "revision_history": [
        {
          "date": "2026-02-14T17:04:03Z",
          "number": "1",
          "summary": "Current version"
        }
      ],
      "status": "final",
      "version": "1"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version",
                "name": "kgraft-patch-4_12_14-122_275-default-3-2.1.ppc64le",
                "product": {
                  "name": "kgraft-patch-4_12_14-122_275-default-3-2.1.ppc64le",
                  "product_id": "kgraft-patch-4_12_14-122_275-default-3-2.1.ppc64le"
                }
              }
            ],
            "category": "architecture",
            "name": "ppc64le"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "kgraft-patch-4_12_14-122_275-default-3-2.1.s390x",
                "product": {
                  "name": "kgraft-patch-4_12_14-122_275-default-3-2.1.s390x",
                  "product_id": "kgraft-patch-4_12_14-122_275-default-3-2.1.s390x"
                }
              }
            ],
            "category": "architecture",
            "name": "s390x"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "kgraft-patch-4_12_14-122_275-default-3-2.1.x86_64",
                "product": {
                  "name": "kgraft-patch-4_12_14-122_275-default-3-2.1.x86_64",
                  "product_id": "kgraft-patch-4_12_14-122_275-default-3-2.1.x86_64"
                }
              }
            ],
            "category": "architecture",
            "name": "x86_64"
          },
          {
            "branches": [
              {
                "category": "product_name",
                "name": "SUSE Linux Enterprise Live Patching 12 SP5",
                "product": {
                  "name": "SUSE Linux Enterprise Live Patching 12 SP5",
                  "product_id": "SUSE Linux Enterprise Live Patching 12 SP5",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:suse:sle-live-patching:12:sp5"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "SUSE Linux Enterprise"
          }
        ],
        "category": "vendor",
        "name": "SUSE"
      }
    ],
    "relationships": [
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "kgraft-patch-4_12_14-122_275-default-3-2.1.ppc64le as component of SUSE Linux Enterprise Live Patching 12 SP5",
          "product_id": "SUSE Linux Enterprise Live Patching 12 SP5:kgraft-patch-4_12_14-122_275-default-3-2.1.ppc64le"
        },
        "product_reference": "kgraft-patch-4_12_14-122_275-default-3-2.1.ppc64le",
        "relates_to_product_reference": "SUSE Linux Enterprise Live Patching 12 SP5"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "kgraft-patch-4_12_14-122_275-default-3-2.1.s390x as component of SUSE Linux Enterprise Live Patching 12 SP5",
          "product_id": "SUSE Linux Enterprise Live Patching 12 SP5:kgraft-patch-4_12_14-122_275-default-3-2.1.s390x"
        },
        "product_reference": "kgraft-patch-4_12_14-122_275-default-3-2.1.s390x",
        "relates_to_product_reference": "SUSE Linux Enterprise Live Patching 12 SP5"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "kgraft-patch-4_12_14-122_275-default-3-2.1.x86_64 as component of SUSE Linux Enterprise Live Patching 12 SP5",
          "product_id": "SUSE Linux Enterprise Live Patching 12 SP5:kgraft-patch-4_12_14-122_275-default-3-2.1.x86_64"
        },
        "product_reference": "kgraft-patch-4_12_14-122_275-default-3-2.1.x86_64",
        "relates_to_product_reference": "SUSE Linux Enterprise Live Patching 12 SP5"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2025-40186",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2025-40186"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "In the Linux kernel, the following vulnerability has been resolved:\n\ntcp: Don\u0027t call reqsk_fastopen_remove() in tcp_conn_request().\n\nsyzbot reported the splat below in tcp_conn_request(). [0]\n\nIf a listener is close()d while a TFO socket is being processed in\ntcp_conn_request(), inet_csk_reqsk_queue_add() does not set reqsk-\u003esk\nand calls inet_child_forget(), which calls tcp_disconnect() for the\nTFO socket.\n\nAfter the cited commit, tcp_disconnect() calls reqsk_fastopen_remove(),\nwhere reqsk_put() is called due to !reqsk-\u003esk.\n\nThen, reqsk_fastopen_remove() in tcp_conn_request() decrements the\nlast req-\u003ersk_refcnt and frees reqsk, and __reqsk_free() at the\ndrop_and_free label causes the refcount underflow for the listener\nand double-free of the reqsk.\n\nLet\u0027s remove reqsk_fastopen_remove() in tcp_conn_request().\n\nNote that other callers make sure tp-\u003efastopen_rsk is not NULL.\n\n[0]:\nrefcount_t: underflow; use-after-free.\nWARNING: CPU: 12 PID: 5563 at lib/refcount.c:28 refcount_warn_saturate (lib/refcount.c:28)\nModules linked in:\nCPU: 12 UID: 0 PID: 5563 Comm: syz-executor Not tainted syzkaller #0 PREEMPT(full)\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/12/2025\nRIP: 0010:refcount_warn_saturate (lib/refcount.c:28)\nCode: ab e8 8e b4 98 ff 0f 0b c3 cc cc cc cc cc 80 3d a4 e4 d6 01 00 75 9c c6 05 9b e4 d6 01 01 48 c7 c7 e8 df fb ab e8 6a b4 98 ff \u003c0f\u003e 0b e9 03 5b 76 00 cc 80 3d 7d e4 d6 01 00 0f 85 74 ff ff ff c6\nRSP: 0018:ffffa79fc0304a98 EFLAGS: 00010246\nRAX: d83af4db1c6b3900 RBX: ffff9f65c7a69020 RCX: d83af4db1c6b3900\nRDX: 0000000000000000 RSI: 00000000ffff7fff RDI: ffffffffac78a280\nRBP: 000000009d781b60 R08: 0000000000007fff R09: ffffffffac6ca280\nR10: 0000000000017ffd R11: 0000000000000004 R12: ffff9f65c7b4f100\nR13: ffff9f65c7d23c00 R14: ffff9f65c7d26000 R15: ffff9f65c7a64ef8\nFS:  00007f9f962176c0(0000) GS:ffff9f65fcf00000(0000) knlGS:0000000000000000\nCS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 0000200000000180 CR3: 000000000dbbe006 CR4: 0000000000372ef0\nCall Trace:\n \u003cIRQ\u003e\n tcp_conn_request (./include/linux/refcount.h:400 ./include/linux/refcount.h:432 ./include/linux/refcount.h:450 ./include/net/sock.h:1965 ./include/net/request_sock.h:131 net/ipv4/tcp_input.c:7301)\n tcp_rcv_state_process (net/ipv4/tcp_input.c:6708)\n tcp_v6_do_rcv (net/ipv6/tcp_ipv6.c:1670)\n tcp_v6_rcv (net/ipv6/tcp_ipv6.c:1906)\n ip6_protocol_deliver_rcu (net/ipv6/ip6_input.c:438)\n ip6_input (net/ipv6/ip6_input.c:500)\n ipv6_rcv (net/ipv6/ip6_input.c:311)\n __netif_receive_skb (net/core/dev.c:6104)\n process_backlog (net/core/dev.c:6456)\n __napi_poll (net/core/dev.c:7506)\n net_rx_action (net/core/dev.c:7569 net/core/dev.c:7696)\n handle_softirqs (kernel/softirq.c:579)\n do_softirq (kernel/softirq.c:480)\n \u003c/IRQ\u003e",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "SUSE Linux Enterprise Live Patching 12 SP5:kgraft-patch-4_12_14-122_275-default-3-2.1.ppc64le",
          "SUSE Linux Enterprise Live Patching 12 SP5:kgraft-patch-4_12_14-122_275-default-3-2.1.s390x",
          "SUSE Linux Enterprise Live Patching 12 SP5:kgraft-patch-4_12_14-122_275-default-3-2.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2025-40186",
          "url": "https://www.suse.com/security/cve/CVE-2025-40186"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1253438 for CVE-2025-40186",
          "url": "https://bugzilla.suse.com/1253438"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1253439 for CVE-2025-40186",
          "url": "https://bugzilla.suse.com/1253439"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "SUSE Linux Enterprise Live Patching 12 SP5:kgraft-patch-4_12_14-122_275-default-3-2.1.ppc64le",
            "SUSE Linux Enterprise Live Patching 12 SP5:kgraft-patch-4_12_14-122_275-default-3-2.1.s390x",
            "SUSE Linux Enterprise Live Patching 12 SP5:kgraft-patch-4_12_14-122_275-default-3-2.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 7,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "products": [
            "SUSE Linux Enterprise Live Patching 12 SP5:kgraft-patch-4_12_14-122_275-default-3-2.1.ppc64le",
            "SUSE Linux Enterprise Live Patching 12 SP5:kgraft-patch-4_12_14-122_275-default-3-2.1.s390x",
            "SUSE Linux Enterprise Live Patching 12 SP5:kgraft-patch-4_12_14-122_275-default-3-2.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2026-02-14T17:04:03Z",
          "details": "important"
        }
      ],
      "title": "CVE-2025-40186"
    }
  ]
}

CVE-2025-40186 (GCVE-0-2025-40186)

Vulnerability from cvelistv5 – Published: 2025-11-12 21:56 – Updated: 2025-12-01 06:19

Title

tcp: Don't call reqsk_fastopen_remove() in tcp_conn_request().

Summary

In the Linux kernel, the following vulnerability has been resolved: tcp: Don't call reqsk_fastopen_remove() in tcp_conn_request(). syzbot reported the splat below in tcp_conn_request(). [0] If a listener is close()d while a TFO socket is being processed in tcp_conn_request(), inet_csk_reqsk_queue_add() does not set reqsk->sk and calls inet_child_forget(), which calls tcp_disconnect() for the TFO socket. After the cited commit, tcp_disconnect() calls reqsk_fastopen_remove(), where reqsk_put() is called due to !reqsk->sk. Then, reqsk_fastopen_remove() in tcp_conn_request() decrements the last req->rsk_refcnt and frees reqsk, and __reqsk_free() at the drop_and_free label causes the refcount underflow for the listener and double-free of the reqsk. Let's remove reqsk_fastopen_remove() in tcp_conn_request(). Note that other callers make sure tp->fastopen_rsk is not NULL. [0]: refcount_t: underflow; use-after-free. WARNING: CPU: 12 PID: 5563 at lib/refcount.c:28 refcount_warn_saturate (lib/refcount.c:28) Modules linked in: CPU: 12 UID: 0 PID: 5563 Comm: syz-executor Not tainted syzkaller #0 PREEMPT(full) Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/12/2025 RIP: 0010:refcount_warn_saturate (lib/refcount.c:28) Code: ab e8 8e b4 98 ff 0f 0b c3 cc cc cc cc cc 80 3d a4 e4 d6 01 00 75 9c c6 05 9b e4 d6 01 01 48 c7 c7 e8 df fb ab e8 6a b4 98 ff <0f> 0b e9 03 5b 76 00 cc 80 3d 7d e4 d6 01 00 0f 85 74 ff ff ff c6 RSP: 0018:ffffa79fc0304a98 EFLAGS: 00010246 RAX: d83af4db1c6b3900 RBX: ffff9f65c7a69020 RCX: d83af4db1c6b3900 RDX: 0000000000000000 RSI: 00000000ffff7fff RDI: ffffffffac78a280 RBP: 000000009d781b60 R08: 0000000000007fff R09: ffffffffac6ca280 R10: 0000000000017ffd R11: 0000000000000004 R12: ffff9f65c7b4f100 R13: ffff9f65c7d23c00 R14: ffff9f65c7d26000 R15: ffff9f65c7a64ef8 FS: 00007f9f962176c0(0000) GS:ffff9f65fcf00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000200000000180 CR3: 000000000dbbe006 CR4: 0000000000372ef0 Call Trace: <IRQ> tcp_conn_request (./include/linux/refcount.h:400 ./include/linux/refcount.h:432 ./include/linux/refcount.h:450 ./include/net/sock.h:1965 ./include/net/request_sock.h:131 net/ipv4/tcp_input.c:7301) tcp_rcv_state_process (net/ipv4/tcp_input.c:6708) tcp_v6_do_rcv (net/ipv6/tcp_ipv6.c:1670) tcp_v6_rcv (net/ipv6/tcp_ipv6.c:1906) ip6_protocol_deliver_rcu (net/ipv6/ip6_input.c:438) ip6_input (net/ipv6/ip6_input.c:500) ipv6_rcv (net/ipv6/ip6_input.c:311) __netif_receive_skb (net/core/dev.c:6104) process_backlog (net/core/dev.c:6456) __napi_poll (net/core/dev.c:7506) net_rx_action (net/core/dev.c:7569 net/core/dev.c:7696) handle_softirqs (kernel/softirq.c:579) do_softirq (kernel/softirq.c:480) </IRQ>

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/e359b742eac1eac75…
	https://git.kernel.org/stable/c/ff6a8883f96a5bc74…
	https://git.kernel.org/stable/c/eb85ad5f23268d64b…
	https://git.kernel.org/stable/c/643a94b0cf767325e…
	https://git.kernel.org/stable/c/422c1c173c39bbbae…
	https://git.kernel.org/stable/c/c11ace909e8731182…
	https://git.kernel.org/stable/c/64dc47a13aa3d9daf…
	https://git.kernel.org/stable/c/2e7cbbbe3d61c6360…

Impacted products

Vendor

Product

Version

Linux

Affected: 7ec092a91ff351dcde89c23e795b73a328274db6 , < e359b742eac1eac75cff4e38ee2e8cea492acd9b (git)
Affected: a4378dedd6e07e62f2fccb17d78c9665718763d0 , < ff6a8883f96a5bc74241ce5b3d431a6dcfa2124d (git)
Affected: 33a4fdf0b4a25f8ce65380c3b0136b407ca57609 , < eb85ad5f23268d64b037bfb545cbcba3752f90c7 (git)
Affected: 17d699727577814198d744d6afe54735c6b54c99 , < 643a94b0cf767325e953591c212be2eb826b9d7f (git)
Affected: dfd06131107e7b699ef1e2a24ed2f7d17c917753 , < 422c1c173c39bbbae1e0eaaf8aefe40b2596233b (git)
Affected: fa4749c065644af4db496b338452a69a3e5147d9 , < c11ace909e873118295e9eb22dc8c58b0b50eb32 (git)
Affected: 45c8a6cc2bcd780e634a6ba8e46bffbdf1fc5c01 , < 64dc47a13aa3d9daf7cec29b44dca8e22a6aea15 (git)
Affected: 45c8a6cc2bcd780e634a6ba8e46bffbdf1fc5c01 , < 2e7cbbbe3d61c63606994b7ff73c72537afe2e1c (git)
Affected: ae313d14b45eca7a6bb29cb9bf396d977e7d28fb (git)

Linux

Affected: 6.17
Unaffected: 0 , < 6.17 (semver)
Unaffected: 5.4.301 , ≤ 5.4.* (semver)
Unaffected: 5.10.246 , ≤ 5.10.* (semver)
Unaffected: 5.15.195 , ≤ 5.15.* (semver)
Unaffected: 6.1.157 , ≤ 6.1.* (semver)
Unaffected: 6.6.113 , ≤ 6.6.* (semver)
Unaffected: 6.12.54 , ≤ 6.12.* (semver)
Unaffected: 6.17.4 , ≤ 6.17.* (semver)
Unaffected: 6.18 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "net/ipv4/tcp_input.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "e359b742eac1eac75cff4e38ee2e8cea492acd9b",
              "status": "affected",
              "version": "7ec092a91ff351dcde89c23e795b73a328274db6",
              "versionType": "git"
            },
            {
              "lessThan": "ff6a8883f96a5bc74241ce5b3d431a6dcfa2124d",
              "status": "affected",
              "version": "a4378dedd6e07e62f2fccb17d78c9665718763d0",
              "versionType": "git"
            },
            {
              "lessThan": "eb85ad5f23268d64b037bfb545cbcba3752f90c7",
              "status": "affected",
              "version": "33a4fdf0b4a25f8ce65380c3b0136b407ca57609",
              "versionType": "git"
            },
            {
              "lessThan": "643a94b0cf767325e953591c212be2eb826b9d7f",
              "status": "affected",
              "version": "17d699727577814198d744d6afe54735c6b54c99",
              "versionType": "git"
            },
            {
              "lessThan": "422c1c173c39bbbae1e0eaaf8aefe40b2596233b",
              "status": "affected",
              "version": "dfd06131107e7b699ef1e2a24ed2f7d17c917753",
              "versionType": "git"
            },
            {
              "lessThan": "c11ace909e873118295e9eb22dc8c58b0b50eb32",
              "status": "affected",
              "version": "fa4749c065644af4db496b338452a69a3e5147d9",
              "versionType": "git"
            },
            {
              "lessThan": "64dc47a13aa3d9daf7cec29b44dca8e22a6aea15",
              "status": "affected",
              "version": "45c8a6cc2bcd780e634a6ba8e46bffbdf1fc5c01",
              "versionType": "git"
            },
            {
              "lessThan": "2e7cbbbe3d61c63606994b7ff73c72537afe2e1c",
              "status": "affected",
              "version": "45c8a6cc2bcd780e634a6ba8e46bffbdf1fc5c01",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "ae313d14b45eca7a6bb29cb9bf396d977e7d28fb",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "net/ipv4/tcp_input.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.17"
            },
            {
              "lessThan": "6.17",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.301",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.246",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.195",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.157",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.113",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.54",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.17.*",
              "status": "unaffected",
              "version": "6.17.4",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.18",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.301",
                  "versionStartIncluding": "5.4.300",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.246",
                  "versionStartIncluding": "5.10.245",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.195",
                  "versionStartIncluding": "5.15.194",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.157",
                  "versionStartIncluding": "6.1.154",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.113",
                  "versionStartIncluding": "6.6.108",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.54",
                  "versionStartIncluding": "6.12.49",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.17.4",
                  "versionStartIncluding": "6.17",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18",
                  "versionStartIncluding": "6.17",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "6.16.9",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ntcp: Don\u0027t call reqsk_fastopen_remove() in tcp_conn_request().\n\nsyzbot reported the splat below in tcp_conn_request(). [0]\n\nIf a listener is close()d while a TFO socket is being processed in\ntcp_conn_request(), inet_csk_reqsk_queue_add() does not set reqsk-\u003esk\nand calls inet_child_forget(), which calls tcp_disconnect() for the\nTFO socket.\n\nAfter the cited commit, tcp_disconnect() calls reqsk_fastopen_remove(),\nwhere reqsk_put() is called due to !reqsk-\u003esk.\n\nThen, reqsk_fastopen_remove() in tcp_conn_request() decrements the\nlast req-\u003ersk_refcnt and frees reqsk, and __reqsk_free() at the\ndrop_and_free label causes the refcount underflow for the listener\nand double-free of the reqsk.\n\nLet\u0027s remove reqsk_fastopen_remove() in tcp_conn_request().\n\nNote that other callers make sure tp-\u003efastopen_rsk is not NULL.\n\n[0]:\nrefcount_t: underflow; use-after-free.\nWARNING: CPU: 12 PID: 5563 at lib/refcount.c:28 refcount_warn_saturate (lib/refcount.c:28)\nModules linked in:\nCPU: 12 UID: 0 PID: 5563 Comm: syz-executor Not tainted syzkaller #0 PREEMPT(full)\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/12/2025\nRIP: 0010:refcount_warn_saturate (lib/refcount.c:28)\nCode: ab e8 8e b4 98 ff 0f 0b c3 cc cc cc cc cc 80 3d a4 e4 d6 01 00 75 9c c6 05 9b e4 d6 01 01 48 c7 c7 e8 df fb ab e8 6a b4 98 ff \u003c0f\u003e 0b e9 03 5b 76 00 cc 80 3d 7d e4 d6 01 00 0f 85 74 ff ff ff c6\nRSP: 0018:ffffa79fc0304a98 EFLAGS: 00010246\nRAX: d83af4db1c6b3900 RBX: ffff9f65c7a69020 RCX: d83af4db1c6b3900\nRDX: 0000000000000000 RSI: 00000000ffff7fff RDI: ffffffffac78a280\nRBP: 000000009d781b60 R08: 0000000000007fff R09: ffffffffac6ca280\nR10: 0000000000017ffd R11: 0000000000000004 R12: ffff9f65c7b4f100\nR13: ffff9f65c7d23c00 R14: ffff9f65c7d26000 R15: ffff9f65c7a64ef8\nFS:  00007f9f962176c0(0000) GS:ffff9f65fcf00000(0000) knlGS:0000000000000000\nCS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 0000200000000180 CR3: 000000000dbbe006 CR4: 0000000000372ef0\nCall Trace:\n \u003cIRQ\u003e\n tcp_conn_request (./include/linux/refcount.h:400 ./include/linux/refcount.h:432 ./include/linux/refcount.h:450 ./include/net/sock.h:1965 ./include/net/request_sock.h:131 net/ipv4/tcp_input.c:7301)\n tcp_rcv_state_process (net/ipv4/tcp_input.c:6708)\n tcp_v6_do_rcv (net/ipv6/tcp_ipv6.c:1670)\n tcp_v6_rcv (net/ipv6/tcp_ipv6.c:1906)\n ip6_protocol_deliver_rcu (net/ipv6/ip6_input.c:438)\n ip6_input (net/ipv6/ip6_input.c:500)\n ipv6_rcv (net/ipv6/ip6_input.c:311)\n __netif_receive_skb (net/core/dev.c:6104)\n process_backlog (net/core/dev.c:6456)\n __napi_poll (net/core/dev.c:7506)\n net_rx_action (net/core/dev.c:7569 net/core/dev.c:7696)\n handle_softirqs (kernel/softirq.c:579)\n do_softirq (kernel/softirq.c:480)\n \u003c/IRQ\u003e"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-12-01T06:19:44.477Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/e359b742eac1eac75cff4e38ee2e8cea492acd9b"
        },
        {
          "url": "https://git.kernel.org/stable/c/ff6a8883f96a5bc74241ce5b3d431a6dcfa2124d"
        },
        {
          "url": "https://git.kernel.org/stable/c/eb85ad5f23268d64b037bfb545cbcba3752f90c7"
        },
        {
          "url": "https://git.kernel.org/stable/c/643a94b0cf767325e953591c212be2eb826b9d7f"
        },
        {
          "url": "https://git.kernel.org/stable/c/422c1c173c39bbbae1e0eaaf8aefe40b2596233b"
        },
        {
          "url": "https://git.kernel.org/stable/c/c11ace909e873118295e9eb22dc8c58b0b50eb32"
        },
        {
          "url": "https://git.kernel.org/stable/c/64dc47a13aa3d9daf7cec29b44dca8e22a6aea15"
        },
        {
          "url": "https://git.kernel.org/stable/c/2e7cbbbe3d61c63606994b7ff73c72537afe2e1c"
        }
      ],
      "title": "tcp: Don\u0027t call reqsk_fastopen_remove() in tcp_conn_request().",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-40186",
    "datePublished": "2025-11-12T21:56:29.033Z",
    "dateReserved": "2025-04-16T07:20:57.177Z",
    "dateUpdated": "2025-12-01T06:19:44.477Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

SUSE-SU-2026:0525-1

CVE-2025-40186 (GCVE-0-2025-40186)

Tags

Sightings

Nomenclature