CVE-2025-39852

See a problem?
Please try reporting it to the source first.
Source
https://nvd.nist.gov/vuln/detail/CVE-2025-39852
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-39852.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2025-39852
Downstream
Published
2025-09-19T15:26:24Z
Modified
2025-10-22T16:12:52.882160Z
Summary
net/tcp: Fix socket memory leak in TCP-AO failure handling for IPv6
Details

In the Linux kernel, the following vulnerability has been resolved:

net/tcp: Fix socket memory leak in TCP-AO failure handling for IPv6

When tcpaocopyallmatching() fails in tcpv6synrecvsock() it just exits the function. This ends up causing a memory-leak:

unreferenced object 0xffff0000281a8200 (size 2496): comm "softirq", pid 0, jiffies 4295174684 hex dump (first 32 bytes): 7f 00 00 06 7f 00 00 06 00 00 00 00 cb a8 88 13 ................ 0a 00 03 61 00 00 00 00 00 00 00 00 00 00 00 00 ...a............ backtrace (crc 5ebdbe15): kmemleakalloc+0x44/0xe0 kmemcacheallocnoprof+0x248/0x470 skprotalloc+0x48/0x120 skclonelock+0x38/0x3b0 inetcskclonelock+0x34/0x150 tcpcreateopenreqchild+0x3c/0x4a8 tcpv6synrecvsock+0x1c0/0x620 tcpcheckreq+0x588/0x790 tcpv6rcv+0x5d0/0xc18 ip6protocoldeliverrcu+0x2d8/0x4c0 ip6inputfinish+0x74/0x148 ip6input+0x50/0x118 ip6sublistrcv+0x2fc/0x3b0 ipv6listrcv+0x114/0x170 _netifreceiveskblistcore+0x16c/0x200 netifreceiveskblist_internal+0x1f0/0x2d0

This is because in tcpv6synrecvsock (and the IPv4 counterpart), when exiting upon error, inetcskprepareforcedclose() and tcp_done() need to be called. They make sure the newsk will end up being correctly free'd.

tcpv4synrecvsock() makes this very clear by having the putandexit label that takes care of things. So, this patch here makes sure tcpv4synrecvsock and tcpv6synrecvsock have similar error-handling and thus fixes the leak for TCP-AO.

References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
06b22ef29591f625ef877ae00d82192938e29e60
Fixed
46d33c878fc0b3d7570366b2c9912395b3f4e701
Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
06b22ef29591f625ef877ae00d82192938e29e60
Fixed
3d2b356d994a8801acb397cafd28b13672c37ab5
Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
06b22ef29591f625ef877ae00d82192938e29e60
Fixed
fa390321aba0a54d0f7ae95ee4ecde1358bb9234

Affected versions

v6.*

v6.10
v6.10-rc1
v6.10-rc2
v6.10-rc3
v6.10-rc4
v6.10-rc5
v6.10-rc6
v6.10-rc7
v6.11
v6.11-rc1
v6.11-rc2
v6.11-rc3
v6.11-rc4
v6.11-rc5
v6.11-rc6
v6.11-rc7
v6.12
v6.12-rc1
v6.12-rc2
v6.12-rc3
v6.12-rc4
v6.12-rc5
v6.12-rc6
v6.12-rc7
v6.12.1
v6.12.10
v6.12.11
v6.12.12
v6.12.13
v6.12.14
v6.12.15
v6.12.16
v6.12.17
v6.12.18
v6.12.19
v6.12.2
v6.12.20
v6.12.21
v6.12.22
v6.12.23
v6.12.24
v6.12.25
v6.12.26
v6.12.27
v6.12.28
v6.12.29
v6.12.3
v6.12.30
v6.12.31
v6.12.32
v6.12.33
v6.12.34
v6.12.35
v6.12.36
v6.12.37
v6.12.38
v6.12.39
v6.12.4
v6.12.40
v6.12.41
v6.12.42
v6.12.43
v6.12.44
v6.12.45
v6.12.5
v6.12.6
v6.12.7
v6.12.8
v6.12.9
v6.13
v6.13-rc1
v6.13-rc2
v6.13-rc3
v6.13-rc4
v6.13-rc5
v6.13-rc6
v6.13-rc7
v6.14
v6.14-rc1
v6.14-rc2
v6.14-rc3
v6.14-rc4
v6.14-rc5
v6.14-rc6
v6.14-rc7
v6.15
v6.15-rc1
v6.15-rc2
v6.15-rc3
v6.15-rc4
v6.15-rc5
v6.15-rc6
v6.15-rc7
v6.16
v6.16-rc1
v6.16-rc2
v6.16-rc3
v6.16-rc4
v6.16-rc5
v6.16-rc6
v6.16-rc7
v6.16.1
v6.16.2
v6.16.3
v6.16.4
v6.16.5
v6.17-rc1
v6.17-rc2
v6.17-rc3
v6.6
v6.7
v6.7-rc1
v6.7-rc2
v6.7-rc3
v6.7-rc4
v6.7-rc5
v6.7-rc6
v6.7-rc7
v6.7-rc8
v6.8
v6.8-rc1
v6.8-rc2
v6.8-rc3
v6.8-rc4
v6.8-rc5
v6.8-rc6
v6.8-rc7
v6.9
v6.9-rc1
v6.9-rc2
v6.9-rc3
v6.9-rc4
v6.9-rc5
v6.9-rc6
v6.9-rc7

Database specific

vanir_signatures

[
    {
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@3d2b356d994a8801acb397cafd28b13672c37ab5",
        "target": {
            "function": "tcp_v6_syn_recv_sock",
            "file": "net/ipv6/tcp_ipv6.c"
        },
        "id": "CVE-2025-39852-6caabdbe",
        "deprecated": false,
        "digest": {
            "function_hash": "29335430518711823989597509883648734299",
            "length": 3998.0
        },
        "signature_version": "v1",
        "signature_type": "Function"
    },
    {
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@3d2b356d994a8801acb397cafd28b13672c37ab5",
        "target": {
            "file": "net/ipv6/tcp_ipv6.c"
        },
        "id": "CVE-2025-39852-b16bd982",
        "deprecated": false,
        "digest": {
            "line_hashes": [
                "314940757538312052692343191472475526997",
                "12945508339130821535616991731837621204",
                "104881955532576419724363763966071813284",
                "81985033197931049747580926686992845797",
                "127737364501747071238463345993267964402",
                "252639120583203693091411758114935610458",
                "41244894738057408664142584184360216036",
                "11087169518310523506804777463259365420",
                "328418689046906644855952005492991613363",
                "116376962134970132709461583824786010179",
                "111284755581111895606165901014591025048",
                "325056808757140890275674236899659675850",
                "128354169012421042466948267440752420893",
                "320053797633709839571755493271741215907",
                "82897973102072706547366995283155744046",
                "78063268096642424886160637194474177735",
                "94124716731447066089037455213422981497",
                "314072319557945041480258200491413352342",
                "70553298829730235196764526836137880392",
                "305407463024304548130196606906410878762",
                "94935519051380177818139428772370177916",
                "207353862350088117551449143582671877298",
                "109989916169400566618158375004144031894",
                "6629311226780308175117757207070812071",
                "48787550752168885742394281051286305173",
                "73842836964482161959810375396721382669",
                "213963266805877829948734596096093363410",
                "322476092510887551762405355127322732242",
                "94124716731447066089037455213422981497",
                "243101750291137918861684015992613633791",
                "170160125326277680811881826598604829377",
                "243918992219836642141597274917885077729",
                "203380117058289328645823891365430497022",
                "260131229326481242135157796300862211348",
                "213281947894941958527854121443367495315",
                "316053748985127146442819794893790988317",
                "317945282925938148323010559550122109884",
                "86393392283993383853163125308226017015",
                "264887430174877796582631963595834786617",
                "201528994173644241989100974771479422967",
                "78984656317396517920242804826493290425",
                "200637536922309733029999667628456812390"
            ],
            "threshold": 0.9
        },
        "signature_version": "v1",
        "signature_type": "Line"
    }
]

Linux / Kernel

Package

Name
Kernel

Affected ranges

Type
ECOSYSTEM
Events
Introduced
6.7.0
Fixed
6.12.46
Type
ECOSYSTEM
Events
Introduced
6.13.0
Fixed
6.16.6