CVE-2025-40215

Enriched by CISA

In the Linux kernel, the following vulnerability has been resolved: xfrm: delete x->tunnel as we delete x The ipcomp fallback tunnels currently get deleted (from the various lists and hashtables) as the last user state that needed that fallback is destroyed (not deleted). If a reference to that user state still exists, the fallback state will remain on the hashtables/lists, triggering the WARN in xfrm_state_fini. Because of those remaining references, the fix in commit f75a2804da39 ("xfrm: destroy xfrm_state synchronously on net exit path") is not complete. We recently fixed one such situation in TCP due to defered freeing of skbs (commit 9b6412e6979f ("tcp: drop secpath at the same time as we currently drop dst")). This can also happen due to IP reassembly: skbs with a secpath remain on the reassembly queue until netns destruction. If we can't guarantee that the queues are flushed by the time xfrm_state_fini runs, there may still be references to a (user) xfrm_state, preventing the timely deletion of the corresponding fallback state. Instead of chasing each instance of skbs holding a secpath one by one, this patch fixes the issue directly within xfrm, by deleting the fallback state as soon as the last user state depending on it has been deleted. Destruction will still happen when the final reference is dropped. A separate lockdep class for the fallback state is required since we're going to lock x->tunnel while x is locked.
https://nvd.nist.gov/vuln/detail/CVE-2025-40215

References

416baaa9-dc9f-4396-8d5f-8c081fb06d67

https://git.kernel.org/stable/c/0da961fa46da1b37ef868d9b603bd202136f8f8e
https://git.kernel.org/stable/c/1b28a7fae0128fa140a7dccd995182ff6cd1c67b
https://git.kernel.org/stable/c/4b2c17d0f9be8b58bb30468bc81a4b61c985b04e
https://git.kernel.org/stable/c/b441cf3f8c4b8576639d20c8eb4aa32917602ecd
https://git.kernel.org/stable/c/d0e0d1097118461463b76562c7ebaabaa5b90b13
https://git.kernel.org/stable/c/dc3636912d41770466543623cb76e7b88fdb42c7

AFFECTED (from MITRE)

Vendor	Product	Versions
Linux	Linux	9d4139c76905833afcb77fe8ccc17f302a0eb9ab < 1b28a7fae0128fa140a7dccd995182ff6cd1c67b [affected] 9d4139c76905833afcb77fe8ccc17f302a0eb9ab < 4b2c17d0f9be8b58bb30468bc81a4b61c985b04e [affected] 9d4139c76905833afcb77fe8ccc17f302a0eb9ab < 0da961fa46da1b37ef868d9b603bd202136f8f8e [affected] 9d4139c76905833afcb77fe8ccc17f302a0eb9ab < d0e0d1097118461463b76562c7ebaabaa5b90b13 [affected] 9d4139c76905833afcb77fe8ccc17f302a0eb9ab < dc3636912d41770466543623cb76e7b88fdb42c7 [affected] 9d4139c76905833afcb77fe8ccc17f302a0eb9ab < b441cf3f8c4b8576639d20c8eb4aa32917602ecd [affected]
Linux	Linux	2.6.29 [affected] < 2.6.29 [unaffected] 5.10.248 ≤ 5.10.* [unaffected] 5.15.198 ≤ 5.15.* [unaffected] 6.1.160 ≤ 6.1.* [unaffected] 6.6.120 ≤ 6.6.* [unaffected] 6.12.62 ≤ 6.12.* [unaffected] 6.16 ≤ * [unaffected]
© 2022 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation.

CPE

cpe	start	end
Configuration 1
cpe:2.3:o:linux:linux_kernel::::::::	>= 2.6.29	< 5.10.248
cpe:2.3:o:linux:linux_kernel::::::::	>= 2.6.29	< 5.15.198
cpe:2.3:o:linux:linux_kernel::::::::	>= 2.6.29	< 6.1.160
cpe:2.3:o:linux:linux_kernel::::::::	>= 2.6.29	< 6.6.120
cpe:2.3:o:linux:linux_kernel::::::::	>= 2.6.29	< 6.12.62
cpe:2.3:o:linux:linux_kernel::::::::	>= 2.6.29	< 6.16

REMEDIATION

EXPLOITS

Exploit-db.com

id	description	date
No known exploits

POC Github

Url
No known exploits

Other Nist (github, ...)

Url
No known exploits

CAPEC

Common Attack Pattern Enumerations and Classifications

id	description	severity
No entry

Cybersecurity needs ?

Strengthen software security from the outset with our DevSecOps expertise

Integrate security right from the start of the software development cycle for more robust applications and greater customer confidence.
Our team of DevSecOps experts can help you secure your APIs, data pipelines, CI/CD chains, Docker containers and Kubernetes deployments.

Discover this offer

Soutenez No Hack Me sur Tipeee