TCP Vulnerability in Linux Kernel Affecting Multiple Network Configurations
CVE-2025-21864

5.5MEDIUM

Key Information:

Vendor: Linux
Status: Linux
Vendor: CVE Published:; 12 March 2025

What is CVE-2025-21864?

A vulnerability has been identified in the Linux kernel related to TCP packet processing. The issue arises during the deletion of network namespaces where a lingering reference to an xfrm_state object prevents proper cleanup. When network namespaces are deleted prematurely, references from the security path (secpath) remain attached to socket buffers (skb), potentially leading to unexpected behavior during packet handling. The problem manifests particularly in scenarios where TCP tests are executed over ipcomp6 configurations. To resolve the issue, adjustments have been made to ensure that secpath references are dropped alongside the destination state, enhancing the stability and security of network operations.

Affected Version(s)

Linux 68822bdf76f10c3dc80609d4e2cdc1e847429086 < 87858bbf21da239ace300d61dd209907995c0491

Linux 68822bdf76f10c3dc80609d4e2cdc1e847429086

References

https://git.kernel.org/stable/c/87858bbf21da239ace300d61d...

https://git.kernel.org/stable/c/f1d5e6a5e468308af7759cf52...

https://git.kernel.org/stable/c/cd34a07f744451e2ecf9005bb...

CVSS V3.1

Score:

5.5

Severity:

MEDIUM

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Local

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Mar 12, 2025
Vulnerability Reserved
Dec 29, 2024