CVE-2025-40256
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-12-04

Last updated on: 2025-12-12

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: xfrm: also call xfrm_state_delete_tunnel at destroy time for states that were never added In commit b441cf3f8c4b ("xfrm: delete x->tunnel as we delete x"), I missed the case where state creation fails between full initialization (->init_state has been called) and being inserted on the lists. In this situation, ->init_state has been called, so for IPcomp tunnels, the fallback tunnel has been created and added onto the lists, but the user state never gets added, because we fail before that. The user state doesn't go through __xfrm_state_delete, so we don't call xfrm_state_delete_tunnel for those states, and we end up leaking the FB tunnel. There are several codepaths affected by this: the add/update paths, in both net/key and xfrm, and the migrate code (xfrm_migrate, xfrm_state_migrate). A "proper" rollback of the init_state work would probably be doable in the add/update code, but for migrate it gets more complicated as multiple states may be involved. At some point, the new (not-inserted) state will be destroyed, so call xfrm_state_delete_tunnel during xfrm_state_gc_destroy. Most states will have their fallback tunnel cleaned up during __xfrm_state_delete, which solves the issue that b441cf3f8c4b (and other patches before it) aimed at. All states (including FB tunnels) will be removed from the lists once xfrm_state_fini has called flush_work(&xfrm_state_gc_work).
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-12-04
Last Modified
2025-12-12
Generated
2026-05-07
AI Q&A
2025-12-04
EPSS Evaluated
2026-05-05
NVD
CVE-2025-40256
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
linux linux_kernel *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability in the Linux kernel involves a flaw in the handling of xfrm states related to IPcomp tunnels. Specifically, when state creation fails after initialization but before being added to internal lists, the fallback tunnel (FB tunnel) is created and added, but the user state is not. Because the user state does not go through the usual deletion process, the fallback tunnel is not properly deleted, leading to a resource leak. The fix ensures that the fallback tunnel is deleted during garbage collection even if the state was never fully added, preventing the leak.


How can this vulnerability impact me? :

This vulnerability can lead to resource leaks in the Linux kernel's handling of IPcomp tunnels, potentially causing increased memory usage or exhaustion of kernel resources over time. This could degrade system performance or stability, especially in environments heavily using IPsec tunnels with IPcomp. However, there is no indication of direct code execution or privilege escalation from this issue.


What immediate steps should I take to mitigate this vulnerability?

The vulnerability has been resolved in the Linux kernel by ensuring that xfrm_state_delete_tunnel is called during the destruction of states that were never added, preventing fallback tunnel leaks. To mitigate this vulnerability, you should update your Linux kernel to the version that includes the fix (commit b441cf3f8c4b and subsequent patches).


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart