CVE-2025-38273

Source
https://nvd.nist.gov/vuln/detail/CVE-2025-38273
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-38273.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2025-38273
Downstream
Related
Published
2025-07-10T08:15:25Z
Modified
2025-08-12T21:01:19Z
Summary
[none]
Details

In the Linux kernel, the following vulnerability has been resolved:

net: tipc: fix refcount warning in tipcaeadencrypt

syzbot reported a refcount warning [1] caused by calling get_net() on a network namespace that is being destroyed (refcount=0). This happens when a TIPC discovery timer fires during network namespace cleanup.

The recently added getnet() call in commit e279024617134 ("net/tipc: fix slab-use-after-free Read in tipcaeadencryptdone") attempts to hold a reference to the network namespace. However, if the namespace is already being destroyed, its refcount might be zero, leading to the use-after-free warning.

Replace getnet() with maybeget_net(), which safely checks if the refcount is non-zero before incrementing it. If the namespace is being destroyed, return -ENODEV early, after releasing the bearer reference.

References

Affected packages