{ "threat_severity" : "Important", "public_date" : "2025-06-18T00:00:00Z", "bugzilla" : { "description" : "kernel: net/tipc: fix slab-use-after-free Read in tipc_aead_encrypt_done", "id" : "2373380", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2373380" }, "cvss3" : { "cvss3_base_score" : "7.8", "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status" : "verified" }, "cwe" : "CWE-416", "details" : [ "In the Linux kernel, the following vulnerability has been resolved:\nnet/tipc: fix slab-use-after-free Read in tipc_aead_encrypt_done\nSyzbot reported a slab-use-after-free with the following call trace:\n==================================================================\nBUG: KASAN: slab-use-after-free in tipc_aead_encrypt_done+0x4bd/0x510 net/tipc/crypto.c:840\nRead of size 8 at addr ffff88807a733000 by task kworker/1:0/25\nCall Trace:\nkasan_report+0xd9/0x110 mm/kasan/report.c:601\ntipc_aead_encrypt_done+0x4bd/0x510 net/tipc/crypto.c:840\ncrypto_request_complete include/crypto/algapi.h:266\naead_request_complete include/crypto/internal/aead.h:85\ncryptd_aead_crypt+0x3b8/0x750 crypto/cryptd.c:772\ncrypto_request_complete include/crypto/algapi.h:266\ncryptd_queue_worker+0x131/0x200 crypto/cryptd.c:181\nprocess_one_work+0x9fb/0x1b60 kernel/workqueue.c:3231\nAllocated by task 8355:\nkzalloc_noprof include/linux/slab.h:778\ntipc_crypto_start+0xcc/0x9e0 net/tipc/crypto.c:1466\ntipc_init_net+0x2dd/0x430 net/tipc/core.c:72\nops_init+0xb9/0x650 net/core/net_namespace.c:139\nsetup_net+0x435/0xb40 net/core/net_namespace.c:343\ncopy_net_ns+0x2f0/0x670 net/core/net_namespace.c:508\ncreate_new_namespaces+0x3ea/0xb10 kernel/nsproxy.c:110\nunshare_nsproxy_namespaces+0xc0/0x1f0 kernel/nsproxy.c:228\nksys_unshare+0x419/0x970 kernel/fork.c:3323\n__do_sys_unshare kernel/fork.c:3394\nFreed by task 63:\nkfree+0x12a/0x3b0 mm/slub.c:4557\ntipc_crypto_stop+0x23c/0x500 net/tipc/crypto.c:1539\ntipc_exit_net+0x8c/0x110 net/tipc/core.c:119\nops_exit_list+0xb0/0x180 net/core/net_namespace.c:173\ncleanup_net+0x5b7/0xbf0 net/core/net_namespace.c:640\nprocess_one_work+0x9fb/0x1b60 kernel/workqueue.c:3231\nAfter freed the tipc_crypto tx by delete namespace, tipc_aead_encrypt_done\nmay still visit it in cryptd_queue_worker workqueue.\nI reproduce this issue by:\nip netns add ns1\nip link add veth1 type veth peer name veth2\nip link set veth1 netns ns1\nip netns exec ns1 tipc bearer enable media eth dev veth1\nip netns exec ns1 tipc node set key this_is_a_master_key master\nip netns exec ns1 tipc bearer disable media eth dev veth1\nip netns del ns1\nThe key of reproduction is that, simd_aead_encrypt is interrupted, leading\nto crypto_simd_usable() return false. Thus, the cryptd_queue_worker is\ntriggered, and the tipc_crypto tx will be visited.\ntipc_disc_timeout\ntipc_bearer_xmit_skb\ntipc_crypto_xmit\ntipc_aead_encrypt\ncrypto_aead_encrypt\n// encrypt()\nsimd_aead_encrypt\n// crypto_simd_usable() is false\nchild = &ctx->cryptd_tfm->base;\nsimd_aead_encrypt\ncrypto_aead_encrypt\n// encrypt()\ncryptd_aead_encrypt_enqueue\ncryptd_aead_enqueue\ncryptd_enqueue_request\n// trigger cryptd_queue_worker\nqueue_work_on(smp_processor_id(), cryptd_wq, &cpu_queue->work)\nFix this by holding net reference count before encrypt.", "A vulnerability was found in the Linux kernel's management of network namespaces. By manipulating the lifecycle of network namespaces, an attacker could exploit this vulnerability to cause a system crash or leak sensitive system memory. Exploitation of this vulnerability requires that a user has access to the system and the ability to create or destroy network namespaces. This typically requires administrative privileges, but could be exposed to an unprivileged user who has control over container lifecycles or a user who has administrative privileges within a container." ], "statement" : "A slab-use-after-free vulnerability exists in the TIPC crypto subsystem in the Linux kernel. The bug is triggered when a network namespace is deleted while an asynchronous crypto operation is still pending, resulting in access to freed memory from a delayed worker context. The vulnerability requires local privileges to create and manipulate network namespaces and configure TIPC crypto bearers, which justifies the use of PR:L. Despite this, the impact on system memory and stability is significant due to the asynchronous nature of the cryptographic operation. Although not directly reachable from an unprivileged user context, this issue can be exploited by a local attacker with limited privileges, for example, in a container, to crash the kernel or perform arbitrary memory access via crafted namespace lifecycle manipulation.", "affected_release" : [ { "product_name" : "Red Hat Enterprise Linux 10", "release_date" : "2025-08-04T00:00:00Z", "advisory" : "RHSA-2025:12662", "cpe" : "cpe:/o:redhat:enterprise_linux:10.0", "package" : "kernel-0:6.12.0-55.25.1.el10_0" }, { "product_name" : "Red Hat Enterprise Linux 8", "release_date" : "2025-08-04T00:00:00Z", "advisory" : "RHSA-2025:12753", "cpe" : "cpe:/a:redhat:enterprise_linux:8::nfv", "package" : "kernel-rt-0:4.18.0-553.66.1.rt7.407.el8_10" }, { "product_name" : "Red Hat Enterprise Linux 8", "release_date" : "2025-08-04T00:00:00Z", "advisory" : "RHSA-2025:12752", "cpe" : "cpe:/o:redhat:enterprise_linux:8", "package" : "kernel-0:4.18.0-553.66.1.el8_10" }, { "product_name" : "Red Hat Enterprise Linux 8", "release_date" : "2025-09-16T00:00:00Z", "advisory" : "RHSA-2025:15921", "cpe" : "cpe:/o:redhat:enterprise_linux:8", "package" : "kpatch-patch" }, { "product_name" : "Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support", "release_date" : "2025-08-06T00:00:00Z", "advisory" : "RHSA-2025:13120", "cpe" : "cpe:/o:redhat:rhel_aus:8.4", "package" : "kernel-0:4.18.0-305.166.1.el8_4" }, { "product_name" : "Red Hat Enterprise Linux 8.4 Extended Update Support Long-Life Add-On", "release_date" : "2025-08-06T00:00:00Z", "advisory" : "RHSA-2025:13120", "cpe" : "cpe:/o:redhat:rhel_eus_long_life:8.4", "package" : "kernel-0:4.18.0-305.166.1.el8_4" }, { "product_name" : "Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support", "release_date" : "2025-08-13T00:00:00Z", "advisory" : "RHSA-2025:13776", "cpe" : "cpe:/o:redhat:rhel_aus:8.6", "package" : "kernel-0:4.18.0-372.157.1.el8_6" }, { "product_name" : "Red Hat Enterprise Linux 8.6 Telecommunications Update Service", "release_date" : "2025-08-13T00:00:00Z", "advisory" : "RHSA-2025:13776", "cpe" : "cpe:/o:redhat:rhel_tus:8.6", "package" : "kernel-0:4.18.0-372.157.1.el8_6" }, { "product_name" : "Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions", "release_date" : "2025-08-13T00:00:00Z", "advisory" : "RHSA-2025:13776", "cpe" : "cpe:/o:redhat:rhel_e4s:8.6", "package" : "kernel-0:4.18.0-372.157.1.el8_6" }, { "product_name" : "Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions", "release_date" : "2025-09-17T00:00:00Z", "advisory" : "RHSA-2025:16045", "cpe" : "cpe:/o:redhat:rhel_e4s:8.6", "package" : "kpatch-patch" }, { "product_name" : "Red Hat Enterprise Linux 8.8 Telecommunications Update Service", "release_date" : "2025-08-05T00:00:00Z", "advisory" : "RHSA-2025:13061", "cpe" : "cpe:/o:redhat:rhel_tus:8.8", "package" : "kernel-0:4.18.0-477.104.1.el8_8" }, { "product_name" : "Red Hat Enterprise Linux 8.8 Update Services for SAP Solutions", "release_date" : "2025-08-05T00:00:00Z", "advisory" : "RHSA-2025:13061", "cpe" : "cpe:/o:redhat:rhel_e4s:8.8", "package" : "kernel-0:4.18.0-477.104.1.el8_8" }, { "product_name" : "Red Hat Enterprise Linux 8.8 Update Services for SAP Solutions", "release_date" : "2025-09-16T00:00:00Z", "advisory" : "RHSA-2025:16008", "cpe" : "cpe:/o:redhat:rhel_e4s:8.8", "package" : "kpatch-patch" }, { "product_name" : "Red Hat Enterprise Linux 9", "release_date" : "2025-08-04T00:00:00Z", "advisory" : "RHSA-2025:12746", "cpe" : "cpe:/a:redhat:enterprise_linux:9", "package" : "kernel-0:5.14.0-570.32.1.el9_6" }, { "product_name" : "Red Hat Enterprise Linux 9", "release_date" : "2025-08-04T00:00:00Z", "advisory" : "RHSA-2025:12746", "cpe" : "cpe:/o:redhat:enterprise_linux:9", "package" : "kernel-0:5.14.0-570.32.1.el9_6" }, { "product_name" : "Red Hat Enterprise Linux 9", "release_date" : "2025-09-15T00:00:00Z", "advisory" : "RHSA-2025:15798", "cpe" : "cpe:/o:redhat:enterprise_linux:9", "package" : "kpatch-patch" }, { "product_name" : "Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions", "release_date" : "2025-08-05T00:00:00Z", "advisory" : "RHSA-2025:13030", "cpe" : "cpe:/a:redhat:rhel_e4s:9.0", "package" : "kernel-0:5.14.0-70.141.1.el9_0" }, { "product_name" : "Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions", "release_date" : "2025-08-05T00:00:00Z", "advisory" : "RHSA-2025:13029", "cpe" : "cpe:/a:redhat:rhel_e4s:9.0::nfv", "package" : "kernel-rt-0:5.14.0-70.141.1.rt21.213.el9_0" }, { "product_name" : "Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions", "release_date" : "2025-09-16T00:00:00Z", "advisory" : "RHSA-2025:15933", "cpe" : "cpe:/o:redhat:rhel_e4s:9.0", "package" : "kpatch-patch" }, { "product_name" : "Red Hat Enterprise Linux 9.2 Update Services for SAP Solutions", "release_date" : "2025-07-29T00:00:00Z", "advisory" : "RHSA-2025:12209", "cpe" : "cpe:/a:redhat:rhel_e4s:9.2", "package" : "kernel-0:5.14.0-284.128.1.el9_2" }, { "product_name" : "Red Hat Enterprise Linux 9.2 Update Services for SAP Solutions", "release_date" : "2025-07-30T00:00:00Z", "advisory" : "RHSA-2025:12311", "cpe" : "cpe:/a:redhat:rhel_e4s:9.2::nfv", "package" : "kernel-rt-0:5.14.0-284.128.1.rt14.413.el9_2" }, { "product_name" : "Red Hat Enterprise Linux 9.2 Update Services for SAP Solutions", "release_date" : "2025-09-16T00:00:00Z", "advisory" : "RHSA-2025:15931", "cpe" : "cpe:/o:redhat:rhel_e4s:9.2", "package" : "kpatch-patch" }, { "product_name" : "Red Hat Enterprise Linux 9.4 Extended Update Support", "release_date" : "2025-08-06T00:00:00Z", "advisory" : "RHSA-2025:13135", "cpe" : "cpe:/a:redhat:rhel_eus:9.4", "package" : "kernel-0:5.14.0-427.81.1.el9_4" }, { "product_name" : "Red Hat Enterprise Linux 9.4 Extended Update Support", "release_date" : "2025-09-16T00:00:00Z", "advisory" : "RHSA-2025:15932", "cpe" : "cpe:/o:redhat:rhel_eus:9.4", "package" : "kpatch-patch" } ], "package_state" : [ { "product_name" : "Red Hat Enterprise Linux 6", "fix_state" : "Not affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:6" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Not affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Not affected", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat Enterprise Linux 9", "fix_state" : "Affected", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:9" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2025-38052\nhttps://nvd.nist.gov/vuln/detail/CVE-2025-38052\nhttps://lore.kernel.org/linux-cve-announce/2025061832-CVE-2025-38052-6201@gregkh/T" ], "name" : "CVE-2025-38052", "mitigation" : { "value" : "Mitigation of this issue requires restricting access to the ability to create, modify, or destroy network namespaces. By default, this ability is restricted to privileged users. However, that restriction is only applicable to the host system itself and not to containerized applications. Administrators of container hosts should ensure that only trusted accounts can run containers.", "lang" : "en:us" }, "csaw" : false }