In the Linux kernel, the following vulnerability has been resolved:
net: mctp: take ownership of skb in mctplocaloutput
Currently, mctplocaloutput only takes ownership of skb on success, and we may leak an skb if mctplocaloutput fails in specific states; the skb ownership isn't transferred until the actual output routing occurs.
Instead, make mctplocaloutput free the skb on all error paths up to the route action, so it always consumes the passed skb.