CVE-2025-40007 — Improper Update of Reference Count in Linux

CWE-911 — Improper Update of Reference Count6 documents5 sources

Severity

5.5MEDIUM

No vector

EPSS

0.0%

top 92.81%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Linux Linux Kernel Debian Linux

Timeline

PublishedOct 20

Description

In the Linux kernel, the following vulnerability has been resolved: netfs: fix reference leak Commit 20d72b00ca81 ("netfs: Fix the request's work item to not require a ref") modified netfs_alloc_request() to initialize the reference counter to 2 instead of 1. The rationale was that the requet's "work" would release the second reference after completion (via netfs_{read,write}_collection_worker()). That works most of the time if all goes well. However, it leaks this additional reference if the…

Affected Packages4 packages

▶Linuxlinux/linux_kernel6.16.0 — 6.16.10

▶Debianlinux/linux_kernel< 6.16.10-1

▶CVEListV5linux/linux20d72b00ca814d748f5663484e5c53bb2bf37a3a — 8df142e93098b4531fadb5dfcf93087649f570b3+3

▶debiandebian/linux< linux 6.16.10-1 (forky)

🔴Vulnerability Details

GHSA

GHSA-gvqp-7rxr-73ch: In the Linux kernel, the following vulnerability has been resolved: netfs: fix reference leak Commit 20d72b00ca81 ("netfs: Fix the request's work it↗2025-10-20

▶

OSV

netfs: fix reference leak↗2025-10-20

▶

OSV

CVE-2025-40007: In the Linux kernel, the following vulnerability has been resolved: netfs: fix reference leak Commit 20d72b00ca81 ("netfs: Fix the request's work item↗2025-10-20

▶

📋Vendor Advisories

Red Hat

kernel: netfs: fix reference leak↗2025-10-20

▶

Debian

CVE-2025-40007: linux - In the Linux kernel, the following vulnerability has been resolved: netfs: fix ...↗2025

▶