2414724 – (CVE-2025-40186) CVE-2025-40186 kernel: Linux kernel: Privilege escalation or Denial of Service via TCP Fast Open vulnerability

Bug 2414724 (CVE-2025-40186) - CVE-2025-40186 kernel: Linux kernel: Privilege escalation or Denial of Service via TCP Fast Open vulnerability

Summary: CVE-2025-40186 kernel: Linux kernel: Privilege escalation or Denial of Servic...

Keywords:
Status:	NEW
Alias:	CVE-2025-40186
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	---
Assignee:	Product Security DevOps Team
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2025-11-12 23:02 UTC by OSIDB Bzimport
Modified:	2025-12-18 14:54 UTC (History)
CC List:	0 users
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2025:22392	None	None	None	2025-12-01 09:49:40 UTC
Red Hat Product Errata	RHSA-2025:23422	None	None	None	2025-12-17 01:14:47 UTC
Red Hat Product Errata	RHSA-2025:23423	None	None	None	2025-12-17 03:41:25 UTC
Red Hat Product Errata	RHSA-2025:23424	None	None	None	2025-12-17 01:11:38 UTC
Red Hat Product Errata	RHSA-2025:23425	None	None	None	2025-12-17 03:36:07 UTC
Red Hat Product Errata	RHSA-2025:23426	None	None	None	2025-12-17 03:26:28 UTC
Red Hat Product Errata	RHSA-2025:23427	None	None	None	2025-12-17 03:27:10 UTC
Red Hat Product Errata	RHSA-2025:23445	None	None	None	2025-12-17 07:47:01 UTC
Red Hat Product Errata	RHSA-2025:23450	None	None	None	2025-12-17 17:24:50 UTC
Red Hat Product Errata	RHSA-2025:23463	None	None	None	2025-12-17 15:00:24 UTC

Description OSIDB Bzimport 2025-11-12 23:02:41 UTC

In the Linux kernel, the following vulnerability has been resolved:

tcp: Don't call reqsk_fastopen_remove() in tcp_conn_request().

syzbot reported the splat below in tcp_conn_request(). [0]

If a listener is close()d while a TFO socket is being processed in
tcp_conn_request(), inet_csk_reqsk_queue_add() does not set reqsk->sk
and calls inet_child_forget(), which calls tcp_disconnect() for the
TFO socket.

After the cited commit, tcp_disconnect() calls reqsk_fastopen_remove(),
where reqsk_put() is called due to !reqsk->sk.

Then, reqsk_fastopen_remove() in tcp_conn_request() decrements the
last req->rsk_refcnt and frees reqsk, and __reqsk_free() at the
drop_and_free label causes the refcount underflow for the listener
and double-free of the reqsk.

Let's remove reqsk_fastopen_remove() in tcp_conn_request().

Note that other callers make sure tp->fastopen_rsk is not NULL.

[0]:
refcount_t: underflow; use-after-free.
WARNING: CPU: 12 PID: 5563 at lib/refcount.c:28 refcount_warn_saturate (lib/refcount.c:28)
Modules linked in:
CPU: 12 UID: 0 PID: 5563 Comm: syz-executor Not tainted syzkaller #0 PREEMPT(full)
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/12/2025
RIP: 0010:refcount_warn_saturate (lib/refcount.c:28)
Code: ab e8 8e b4 98 ff 0f 0b c3 cc cc cc cc cc 80 3d a4 e4 d6 01 00 75 9c c6 05 9b e4 d6 01 01 48 c7 c7 e8 df fb ab e8 6a b4 98 ff <0f> 0b e9 03 5b 76 00 cc 80 3d 7d e4 d6 01 00 0f 85 74 ff ff ff c6
RSP: 0018:ffffa79fc0304a98 EFLAGS: 00010246
RAX: d83af4db1c6b3900 RBX: ffff9f65c7a69020 RCX: d83af4db1c6b3900
RDX: 0000000000000000 RSI: 00000000ffff7fff RDI: ffffffffac78a280
RBP: 000000009d781b60 R08: 0000000000007fff R09: ffffffffac6ca280
R10: 0000000000017ffd R11: 0000000000000004 R12: ffff9f65c7b4f100
R13: ffff9f65c7d23c00 R14: ffff9f65c7d26000 R15: ffff9f65c7a64ef8
FS:  00007f9f962176c0(0000) GS:ffff9f65fcf00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000200000000180 CR3: 000000000dbbe006 CR4: 0000000000372ef0
Call Trace:
 <IRQ>
 tcp_conn_request (./include/linux/refcount.h:400 ./include/linux/refcount.h:432 ./include/linux/refcount.h:450 ./include/net/sock.h:1965 ./include/net/request_sock.h:131 net/ipv4/tcp_input.c:7301)
 tcp_rcv_state_process (net/ipv4/tcp_input.c:6708)
 tcp_v6_do_rcv (net/ipv6/tcp_ipv6.c:1670)
 tcp_v6_rcv (net/ipv6/tcp_ipv6.c:1906)
 ip6_protocol_deliver_rcu (net/ipv6/ip6_input.c:438)
 ip6_input (net/ipv6/ip6_input.c:500)
 ipv6_rcv (net/ipv6/ip6_input.c:311)
 __netif_receive_skb (net/core/dev.c:6104)
 process_backlog (net/core/dev.c:6456)
 __napi_poll (net/core/dev.c:7506)
 net_rx_action (net/core/dev.c:7569 net/core/dev.c:7696)
 handle_softirqs (kernel/softirq.c:579)
 do_softirq (kernel/softirq.c:480)
 </IRQ>

Comment 1 Mauro Matteo Cascella 2025-11-13 09:47:09 UTC

Upstream advisory:
https://lore.kernel.org/linux-cve-announce/2025111244-CVE-2025-40186-b204@gregkh/T

Comment 6 errata-xmlrpc 2025-12-01 09:49:39 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.6 Extended Update Support

Via RHSA-2025:22392 https://access.redhat.com/errata/RHSA-2025:22392

Comment 7 errata-xmlrpc 2025-12-17 01:11:37 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions

Via RHSA-2025:23424 https://access.redhat.com/errata/RHSA-2025:23424

Comment 8 errata-xmlrpc 2025-12-17 01:14:46 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.2 Update Services for SAP Solutions

Via RHSA-2025:23422 https://access.redhat.com/errata/RHSA-2025:23422

Comment 9 errata-xmlrpc 2025-12-17 03:26:27 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions

Via RHSA-2025:23426 https://access.redhat.com/errata/RHSA-2025:23426

Comment 10 errata-xmlrpc 2025-12-17 03:27:09 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.8 Update Services for SAP Solutions
  Red Hat Enterprise Linux 8.8 Telecommunications Update Service

Via RHSA-2025:23427 https://access.redhat.com/errata/RHSA-2025:23427

Comment 11 errata-xmlrpc 2025-12-17 03:36:06 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support
  Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions
  Red Hat Enterprise Linux 8.6 Telecommunications Update Service

Via RHSA-2025:23425 https://access.redhat.com/errata/RHSA-2025:23425

Comment 12 errata-xmlrpc 2025-12-17 03:41:24 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.2 Update Services for SAP Solutions

Via RHSA-2025:23423 https://access.redhat.com/errata/RHSA-2025:23423

Comment 13 errata-xmlrpc 2025-12-17 07:47:00 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.2 Advanced Update Support

Via RHSA-2025:23445 https://access.redhat.com/errata/RHSA-2025:23445

Comment 14 errata-xmlrpc 2025-12-17 15:00:22 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support
  Red Hat Enterprise Linux 8.4 Extended Update Support Long-Life Add-On

Via RHSA-2025:23463 https://access.redhat.com/errata/RHSA-2025:23463

Comment 15 errata-xmlrpc 2025-12-17 17:24:49 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.4 Extended Update Support

Via RHSA-2025:23450 https://access.redhat.com/errata/RHSA-2025:23450

Note You need to log in before you can comment on or make changes to this bug.