Bug 2379189 (CVE-2025-38273) - CVE-2025-38273 kernel: net: tipc: fix refcount warning in tipc_aead_encrypt
Summary: CVE-2025-38273 kernel: net: tipc: fix refcount warning in tipc_aead_encrypt
Keywords:
Status: NEW
Alias: CVE-2025-38273
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Product Security DevOps Team
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2025-07-10 08:02 UTC by OSIDB Bzimport
Modified: 2025-07-11 10:34 UTC (History)
0 users

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)

Description OSIDB Bzimport 2025-07-10 08:02:29 UTC 
In the Linux kernel, the following vulnerability has been resolved:

net: tipc: fix refcount warning in tipc_aead_encrypt

syzbot reported a refcount warning [1] caused by calling get_net() on
a network namespace that is being destroyed (refcount=0). This happens
when a TIPC discovery timer fires during network namespace cleanup.

The recently added get_net() call in commit e279024617134 ("net/tipc:
fix slab-use-after-free Read in tipc_aead_encrypt_done") attempts to
hold a reference to the network namespace. However, if the namespace
is already being destroyed, its refcount might be zero, leading to the
use-after-free warning.

Replace get_net() with maybe_get_net(), which safely checks if the
refcount is non-zero before incrementing it. If the namespace is being
destroyed, return -ENODEV early, after releasing the bearer reference.

[1]: https://lore.kernel.org/all/68342b55.a70a0220.253bc2.0091.GAE@google.com/T/#m12019cf9ae77e1954f666914640efa36d52704a2
Comment 1 Avinash Hanwate 2025-07-11 10:31:32 UTC 
Upstream advisory:
https://lore.kernel.org/linux-cve-announce/2025071008-CVE-2025-38273-6850@gregkh/T
Note You need to log in before you can comment on or make changes to this bug.