CVE-2025-39852
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-09-19

Last updated on: 2025-12-11

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: net/tcp: Fix socket memory leak in TCP-AO failure handling for IPv6 When tcp_ao_copy_all_matching() fails in tcp_v6_syn_recv_sock() it just exits the function. This ends up causing a memory-leak: unreferenced object 0xffff0000281a8200 (size 2496): comm "softirq", pid 0, jiffies 4295174684 hex dump (first 32 bytes): 7f 00 00 06 7f 00 00 06 00 00 00 00 cb a8 88 13 ................ 0a 00 03 61 00 00 00 00 00 00 00 00 00 00 00 00 ...a............ backtrace (crc 5ebdbe15): kmemleak_alloc+0x44/0xe0 kmem_cache_alloc_noprof+0x248/0x470 sk_prot_alloc+0x48/0x120 sk_clone_lock+0x38/0x3b0 inet_csk_clone_lock+0x34/0x150 tcp_create_openreq_child+0x3c/0x4a8 tcp_v6_syn_recv_sock+0x1c0/0x620 tcp_check_req+0x588/0x790 tcp_v6_rcv+0x5d0/0xc18 ip6_protocol_deliver_rcu+0x2d8/0x4c0 ip6_input_finish+0x74/0x148 ip6_input+0x50/0x118 ip6_sublist_rcv+0x2fc/0x3b0 ipv6_list_rcv+0x114/0x170 __netif_receive_skb_list_core+0x16c/0x200 netif_receive_skb_list_internal+0x1f0/0x2d0 This is because in tcp_v6_syn_recv_sock (and the IPv4 counterpart), when exiting upon error, inet_csk_prepare_forced_close() and tcp_done() need to be called. They make sure the newsk will end up being correctly free'd. tcp_v4_syn_recv_sock() makes this very clear by having the put_and_exit label that takes care of things. So, this patch here makes sure tcp_v4_syn_recv_sock and tcp_v6_syn_recv_sock have similar error-handling and thus fixes the leak for TCP-AO.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-09-19
Last Modified
2025-12-11
Generated
2026-05-07
AI Q&A
2025-09-19
EPSS Evaluated
2026-05-05
NVD
CVE-2025-39852
Affected Vendors & Products
Showing 6 associated CPEs
Vendor Product Version / Range
linux linux_kernel From 6.7 (inc) to 6.12.46 (exc)
linux linux_kernel From 6.13 (inc) to 6.16.6 (exc)
linux linux_kernel 6.17
linux linux_kernel 6.17
linux linux_kernel 6.17
linux linux_kernel 6.17
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-401 The product does not sufficiently track and release allocated memory after it has been used, making the memory unavailable for reallocation and reuse.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability is a memory leak in the Linux kernel's TCP-AO failure handling for IPv6. Specifically, when the function tcp_ao_copy_all_matching() fails inside tcp_v6_syn_recv_sock(), the function exits without properly freeing allocated socket memory. This causes a memory leak because necessary cleanup functions (inet_csk_prepare_forced_close() and tcp_done()) are not called on error exit, unlike in the IPv4 counterpart. The patch fixes this by aligning the IPv6 error handling with IPv4 to ensure proper memory release.


How can this vulnerability impact me? :

The memory leak caused by this vulnerability can lead to increased memory consumption on affected systems, potentially degrading system performance or causing resource exhaustion over time. This could affect the stability and reliability of systems running the vulnerable Linux kernel, especially under conditions where TCP-AO failure handling for IPv6 is triggered frequently.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart