CVE-2025-38273
published 2025-07-10CVE-2025-38273: In the Linux kernel, the following vulnerability has been resolved: net: tipc: fix refcount warning in tipc_aead_encrypt syzbot reported a refcount warning [1]…
medium5.5CVSS 3.1
AVLACLPRLUINSUCNINAH
In the Linux kernel, the following vulnerability has been resolved:
net: tipc: fix refcount warning in tipc_aead_encrypt
syzbot reported a refcount warning [1] caused by calling get_net() on
a network namespace that is being destroyed (refcount=0). This happens
when a TIPC discovery timer fires during network namespace cleanup.
The recently added get_net() call in commit e279024617134 ("net/tipc:
fix slab-use-after-free Read in tipc_aead_encrypt_done") attempts to
hold a reference to the network namespace. However, if the namespace
is already being destroyed, its refcount might be zero, leading to the
use-after-free warning.
Replace get_net() with maybe_get_net(), which safely checks if the
refcount is non-zero before incrementing it. If the namespace is being
destroyed, return -ENODEV early, after releasing the bearer reference.
[1]: https://lore.kernel.org/all/[email protected]/T/#m12019cf9ae77e1954f666914640efa36d52704a2
Affected
31 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | debian_linux | — | — |
| debian | linux | < linux 6.1.147-1 (bookworm) | linux 6.1.147-1 (bookworm) |
| debian | linux-6.1 | < linux 6.1.147-1 (bookworm) | linux 6.1.147-1 (bookworm) |
| linux | linux | — | — |
| linux | linux | — | — |
| linux | linux | >= 5.10.238 < 5.10.239 | 5.10.239 |
| linux | linux | >= 5.15.185 < 5.15.186 | 5.15.186 |
| linux | linux | >= 6.1.141 < 6.1.142 | 6.1.142 |
| linux | linux | >= 6.12.31 < 6.12.34 | 6.12.34 |
| linux | linux | >= 6.14.9 < 6.15 | 6.15 |
| linux | linux | >= 6.6.93 < 6.6.94 | 6.6.94 |
| linux | linux | >= 689a205cd968a1572ab561b0c4c2d50a10e9d3b0 < c762fc79d710d676b793f9d98b1414efe6eb51e6 | c762fc79d710d676b793f9d98b1414efe6eb51e6 |
| linux | linux | >= b19fc1d0be3c3397e5968fe2627f22e7f84673b1 < acab7ca5ff19889b80a8ee7dec220ee1a96dede9 | acab7ca5ff19889b80a8ee7dec220ee1a96dede9 |
| linux | linux | >= b8fcae6d2e93c54cacb8f579a77d827c1c643eb5 < 307391e8fe70401a6d39ecc9978e13c2c0cdf81f | 307391e8fe70401a6d39ecc9978e13c2c0cdf81f |
| linux | linux | >= d42ed4de6aba232d946d20653a70f79158a6535b < 445d59025d76d0638b03110f8791d5b89ed5162d | 445d59025d76d0638b03110f8791d5b89ed5162d |
| linux | linux | >= e279024617134c94fd3e37470156534d5f2b3472 < 9ff60e0d9974dccf24e89bcd3ee7933e538d929f | 9ff60e0d9974dccf24e89bcd3ee7933e538d929f |
| linux | linux | >= e279024617134c94fd3e37470156534d5f2b3472 < f29ccaa07cf3d35990f4d25028cc55470d29372b | f29ccaa07cf3d35990f4d25028cc55470d29372b |
| linux | linux | >= f5c2c4eaaa5a8e7e0685ec031d480e588e263e59 < e0b11227c4e8eb4bdf1b86aa8f0f3abb24e0f029 | e0b11227c4e8eb4bdf1b86aa8f0f3abb24e0f029 |
| linux | linux_kernel | — | — |
| linux | linux_kernel | — | — |
| linux | linux_kernel | — | — |
| linux | linux_kernel | — | — |
| linux | linux_kernel | — | — |
| linux | linux_kernel | >= 0 < 5.10.244-1 | 5.10.244-1 |
| linux | linux_kernel | >= 0 < 6.1.147-1 | 6.1.147-1 |
CVSS provenance
nvdv3.15.5MEDIUMCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
osv5.5MEDIUM