CVE-2025-38273

MEDIUM EPSS 5.7%
Published Jul 10, 202511mo ago · Modified Jun 17, 20262w ago
5.5 CVSS 3.1
Medium
Find Similar
Published Jul 10, 2025 11mo ago
Last Modified Jun 17, 2026 2w ago

Description

In the Linux kernel, the following vulnerability has been resolved: net: tipc: fix refcount warning in tipc_aead_encrypt syzbot reported a refcount warning [1] caused by calling get_net() on a network namespace that is being destroyed (refcount=0). This happens when a TIPC discovery timer fires during network namespace cleanup. The recently added get_net() call in commit e279024617134 ("net/tipc: fix slab-use-after-free Read in tipc_aead_encrypt_done") attempts to hold a reference to the network namespace. However, if the namespace is already being destroyed, its refcount might be zero, leading to the use-after-free warning. Replace get_net() with maybe_get_net(), which safely checks if the refcount is non-zero before incrementing it. If the namespace is being destroyed, return -ENODEV early, after releasing the bearer reference. [1]: https://lore.kernel.org/all/68342b55.a70a0220.253bc2.0091.GAE@google.com/T/#m12019cf9ae77e1954f666914640efa36d52704a2

CVSS Details

Base Score
5.5
Exploitability
1.8
Impact
3.6
Vector string
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector Local
Attack Complexity Low
Privileges Required Low
User Interaction None
Scope Unchanged
Confidentiality None
Integrity None
Availability High

Threat Intelligence

EPSS Exploit Probability
5.7% percentile
Exploit & Patch Status
No Known Exploit
Patch Available

Affected Products 9

VendorProductVersionRange
linuxlinux_kernel*≥6.12.31  –  <6.12.34
linuxlinux_kernel*≥6.14.9  –  <6.15
linuxlinux_kernel*≥6.15.1  –  <6.15.3
linuxlinux_kernel5.10.238any
linuxlinux_kernel5.15.185any
linuxlinux_kernel6.1.141any
linuxlinux_kernel6.6.93any
linuxlinux_kernel6.15any
debiandebian_linux11.0any

References 9

  • git.kernel.org https://git.kernel.org/stable/c/307391e8fe70401a6d39ecc9978e13c2c0cdf81f
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/445d59025d76d0638b03110f8791d5b89ed5162d
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/9ff60e0d9974dccf24e89bcd3ee7933e538d929f
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/acab7ca5ff19889b80a8ee7dec220ee1a96dede9
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/c762fc79d710d676b793f9d98b1414efe6eb51e6
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/e0b11227c4e8eb4bdf1b86aa8f0f3abb24e0f029
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/f29ccaa07cf3d35990f4d25028cc55470d29372b
    Patch
  • lists.debian.org https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html
    Mailing ListThird Party Advisory
  • lists.debian.org https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html
    Mailing ListThird Party Advisory

Remediation

  • git.kernel.org https://git.kernel.org/stable/c/307391e8fe70401a6d39ecc9978e13c2c0cdf81f
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/445d59025d76d0638b03110f8791d5b89ed5162d
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/9ff60e0d9974dccf24e89bcd3ee7933e538d929f
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/acab7ca5ff19889b80a8ee7dec220ee1a96dede9
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/c762fc79d710d676b793f9d98b1414efe6eb51e6
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/e0b11227c4e8eb4bdf1b86aa8f0f3abb24e0f029
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/f29ccaa07cf3d35990f4d25028cc55470d29372b
    Patch