CVE-2025-40215
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-12-04

Last updated on: 2025-12-12

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: xfrm: delete x->tunnel as we delete x The ipcomp fallback tunnels currently get deleted (from the various lists and hashtables) as the last user state that needed that fallback is destroyed (not deleted). If a reference to that user state still exists, the fallback state will remain on the hashtables/lists, triggering the WARN in xfrm_state_fini. Because of those remaining references, the fix in commit f75a2804da39 ("xfrm: destroy xfrm_state synchronously on net exit path") is not complete. We recently fixed one such situation in TCP due to defered freeing of skbs (commit 9b6412e6979f ("tcp: drop secpath at the same time as we currently drop dst")). This can also happen due to IP reassembly: skbs with a secpath remain on the reassembly queue until netns destruction. If we can't guarantee that the queues are flushed by the time xfrm_state_fini runs, there may still be references to a (user) xfrm_state, preventing the timely deletion of the corresponding fallback state. Instead of chasing each instance of skbs holding a secpath one by one, this patch fixes the issue directly within xfrm, by deleting the fallback state as soon as the last user state depending on it has been deleted. Destruction will still happen when the final reference is dropped. A separate lockdep class for the fallback state is required since we're going to lock x->tunnel while x is locked.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-12-04
Last Modified
2025-12-12
Generated
2026-05-06
AI Q&A
2025-12-04
EPSS Evaluated
2026-05-05
NVD
CVE-2025-40215
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
linux linux_kernel *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability involves the Linux kernel's handling of ipcomp fallback tunnels in the xfrm subsystem. When the last user state that depends on a fallback tunnel is destroyed, the fallback tunnel itself is not properly deleted if references to the user state still exist. This causes the fallback state to remain in kernel lists and hashtables, triggering warnings and potentially leading to resource management issues. The problem arises because some network buffers (skbs) holding security paths (secpath) may remain queued during network namespace destruction, preventing timely deletion of fallback states. The fix ensures that fallback states are deleted as soon as the last dependent user state is deleted, improving cleanup and preventing lingering references.


How can this vulnerability impact me? :

This vulnerability can lead to improper cleanup of fallback tunnel states in the Linux kernel, which may cause warnings, resource leaks, or instability in the networking subsystem. While it does not directly indicate a security breach, lingering references and delayed deletion of states could potentially affect system reliability and performance, especially in environments heavily using IPsec or related tunneling features.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart