CVE-2025-38097
Analyzed Analyzed - Analysis Complete
BaseFortify

Publication date: 2025-07-03

Last updated on: 2025-12-16

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: espintcp: remove encap socket caching to avoid reference leak The current scheme for caching the encap socket can lead to reference leaks when we try to delete the netns. The reference chain is: xfrm_state -> enacp_sk -> netns Since the encap socket is a userspace socket, it holds a reference on the netns. If we delete the espintcp state (through flush or individual delete) before removing the netns, the reference on the socket is dropped and the netns is correctly deleted. Otherwise, the netns may not be reachable anymore (if all processes within the ns have terminated), so we cannot delete the xfrm state to drop its reference on the socket. This patch results in a small (~2% in my tests) performance regression. A GC-type mechanism could be added for the socket cache, to clear references if the state hasn't been used "recently", but it's a lot more complex than just not caching the socket.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-07-03
Last Modified
2025-12-16
Generated
2026-05-07
AI Q&A
2025-07-03
EPSS Evaluated
2026-05-05
NVD
CVE-2025-38097
Affected Vendors & Products
Showing 12 associated CPEs
Vendor Product Version / Range
linux linux_kernel From 5.6 (inc) to 6.1.141 (exc)
linux linux_kernel From 6.2 (inc) to 6.6.93 (exc)
linux linux_kernel From 6.7 (inc) to 6.12.31 (exc)
linux linux_kernel From 6.13 (inc) to 6.14.9 (exc)
linux linux_kernel 6.15
linux linux_kernel 6.15
linux linux_kernel 6.15
linux linux_kernel 6.15
linux linux_kernel 6.15
linux linux_kernel 6.15
linux linux_kernel 6.15
debian debian_linux 11.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-NVD-CWE-Other
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability involves a reference leak in the Linux kernel's espintcp module due to caching of the encapsulation (encap) socket. The encap socket holds a reference to the network namespace (netns). If the espintcp state is deleted before the netns, the reference on the socket is dropped and the netns can be deleted correctly. However, if the netns is deleted first, the socket still holds a reference preventing proper cleanup, causing a reference leak. This can lead to resources not being freed properly.


How can this vulnerability impact me? :

This vulnerability can cause resource leaks in the Linux kernel, specifically preventing the deletion of network namespaces due to lingering references held by the encap socket. Over time, this can lead to increased memory usage and potential system instability or degraded performance due to unreleased resources.


What immediate steps should I take to mitigate this vulnerability?

The vulnerability is resolved by removing the encap socket caching in the espintcp module of the Linux kernel to avoid reference leaks. Immediate mitigation involves updating the Linux kernel to the fixed version that includes this patch. Since the issue relates to reference leaks preventing proper deletion of network namespaces, ensure that espintcp state is properly deleted before removing the netns. There are no specific commands provided for mitigation.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart