{
  "threat_severity" : "Moderate",
  "public_date" : "2025-07-25T00:00:00Z",
  "bugzilla" : {
    "description" : "kernel: tipc: Fix use-after-free in tipc_conn_close()",
    "id" : "2383509",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2383509"
  },
  "cvss3" : {
    "cvss3_base_score" : "7.3",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:H",
    "status" : "verified"
  },
  "cwe" : "CWE-416",
  "details" : [ "In the Linux kernel, the following vulnerability has been resolved:\ntipc: Fix use-after-free in tipc_conn_close().\nsyzbot reported a null-ptr-deref in tipc_conn_close() during netns\ndismantle. [0]\ntipc_topsrv_stop() iterates tipc_net(net)->topsrv->conn_idr and calls\ntipc_conn_close() for each tipc_conn.\nThe problem is that tipc_conn_close() is called after releasing the\nIDR lock.\nAt the same time, there might be tipc_conn_recv_work() running and it\ncould call tipc_conn_close() for the same tipc_conn and release its\nlast ->kref.\nOnce we release the IDR lock in tipc_topsrv_stop(), there is no\nguarantee that the tipc_conn is alive.\nLet's hold the ref before releasing the lock and put the ref after\ntipc_conn_close() in tipc_topsrv_stop().\n[0]:\nBUG: KASAN: use-after-free in tipc_conn_close+0x122/0x140 net/tipc/topsrv.c:165\nRead of size 8 at addr ffff888099305a08 by task kworker/u4:3/435\nCPU: 0 PID: 435 Comm: kworker/u4:3 Not tainted 4.19.204-syzkaller #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011\nWorkqueue: netns cleanup_net\nCall Trace:\n__dump_stack lib/dump_stack.c:77 [inline]\ndump_stack+0x1fc/0x2ef lib/dump_stack.c:118\nprint_address_description.cold+0x54/0x219 mm/kasan/report.c:256\nkasan_report_error.cold+0x8a/0x1b9 mm/kasan/report.c:354\nkasan_report mm/kasan/report.c:412 [inline]\n__asan_report_load8_noabort+0x88/0x90 mm/kasan/report.c:433\ntipc_conn_close+0x122/0x140 net/tipc/topsrv.c:165\ntipc_topsrv_stop net/tipc/topsrv.c:701 [inline]\ntipc_topsrv_exit_net+0x27b/0x5c0 net/tipc/topsrv.c:722\nops_exit_list+0xa5/0x150 net/core/net_namespace.c:153\ncleanup_net+0x3b4/0x8b0 net/core/net_namespace.c:553\nprocess_one_work+0x864/0x1570 kernel/workqueue.c:2153\nworker_thread+0x64c/0x1130 kernel/workqueue.c:2296\nkthread+0x33f/0x460 kernel/kthread.c:259\nret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:415\nAllocated by task 23:\nkmem_cache_alloc_trace+0x12f/0x380 mm/slab.c:3625\nkmalloc include/linux/slab.h:515 [inline]\nkzalloc include/linux/slab.h:709 [inline]\ntipc_conn_alloc+0x43/0x4f0 net/tipc/topsrv.c:192\ntipc_topsrv_accept+0x1b5/0x280 net/tipc/topsrv.c:470\nprocess_one_work+0x864/0x1570 kernel/workqueue.c:2153\nworker_thread+0x64c/0x1130 kernel/workqueue.c:2296\nkthread+0x33f/0x460 kernel/kthread.c:259\nret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:415\nFreed by task 23:\n__cache_free mm/slab.c:3503 [inline]\nkfree+0xcc/0x210 mm/slab.c:3822\ntipc_conn_kref_release net/tipc/topsrv.c:150 [inline]\nkref_put include/linux/kref.h:70 [inline]\nconn_put+0x2cd/0x3a0 net/tipc/topsrv.c:155\nprocess_one_work+0x864/0x1570 kernel/workqueue.c:2153\nworker_thread+0x64c/0x1130 kernel/workqueue.c:2296\nkthread+0x33f/0x460 kernel/kthread.c:259\nret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:415\nThe buggy address belongs to the object at ffff888099305a00\nwhich belongs to the cache kmalloc-512 of size 512\nThe buggy address is located 8 bytes inside of\n512-byte region [ffff888099305a00, ffff888099305c00)\nThe buggy address belongs to the page:\npage:ffffea000264c140 count:1 mapcount:0 mapping:ffff88813bff0940 index:0x0\nflags: 0xfff00000000100(slab)\nraw: 00fff00000000100 ffffea00028b6b88 ffffea0002cd2b08 ffff88813bff0940\nraw: 0000000000000000 ffff888099305000 0000000100000006 0000000000000000\npage dumped because: kasan: bad access detected\nMemory state around the buggy address:\nffff888099305900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\nffff888099305980: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc\n>ffff888099305a00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n^\nffff888099305a80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\nffff888099305b00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb" ],
  "statement" : "A Use-After-Free vulnerability was found in tipc_conn_close() in the TIPC subsystem during the cleanup of network namespaces. The race condition between tipc_topsrv_stop() and tipc_conn_recv_work() could result in accessing a freed tipc_conn structure, leading to kernel crash or potential memory corruption. The bug was triggered by syzbot and fixed by ensuring proper reference counting.\nThe most straightforward exploitation scenario is a local Denial of Service (DoS), where an unprivileged user with the ability to create user and network namespaces spawns TIPC connections and then triggers network namespace teardown, creating a race condition that causes a use-after-free in tipc_conn_close(). This reliably leads to a kernel panic.\nA hypothetical future scenario involves local privilege escalation, if the attacker can win the race and reallocate the freed object in a controlled way (e.g., via kmalloc-512 slab reusage), leading to memory corruption or hijacking of kernel control flow.\nImportantly, this can be triggered without root privileges if the system allows unprivileged creation of user and net namespaces, which is the case on many Linux distributions (/proc/sys/user/max_user_namespaces > 0 and kernel.unprivileged_userns_clone=1).\nIn such environments, a regular user can execute the TIPC socket creation, manipulate netns teardown, and provoke the race condition required for exploitation.",
  "affected_release" : [ {
    "product_name" : "Red Hat Enterprise Linux 10",
    "release_date" : "2025-09-02T00:00:00Z",
    "advisory" : "RHSA-2025:15005",
    "cpe" : "cpe:/o:redhat:enterprise_linux:10.0",
    "package" : "kernel-0:6.12.0-55.30.1.el10_0"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "release_date" : "2025-09-02T00:00:00Z",
    "advisory" : "RHSA-2025:15009",
    "cpe" : "cpe:/a:redhat:enterprise_linux:8::nfv",
    "package" : "kernel-rt-0:4.18.0-553.72.1.rt7.413.el8_10"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "release_date" : "2025-09-02T00:00:00Z",
    "advisory" : "RHSA-2025:15008",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8",
    "package" : "kernel-0:4.18.0-553.72.1.el8_10"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8.2 Advanced Update Support",
    "release_date" : "2025-09-10T00:00:00Z",
    "advisory" : "RHSA-2025:15656",
    "cpe" : "cpe:/o:redhat:rhel_aus:8.2",
    "package" : "kernel-0:4.18.0-193.168.1.el8_2"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support",
    "release_date" : "2025-09-11T00:00:00Z",
    "advisory" : "RHSA-2025:15660",
    "cpe" : "cpe:/o:redhat:rhel_aus:8.4",
    "package" : "kernel-0:4.18.0-305.172.1.el8_4"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8.4 Extended Update Support Long-Life Add-On",
    "release_date" : "2025-09-11T00:00:00Z",
    "advisory" : "RHSA-2025:15660",
    "cpe" : "cpe:/o:redhat:rhel_eus_long_life:8.4",
    "package" : "kernel-0:4.18.0-305.172.1.el8_4"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support",
    "release_date" : "2025-09-10T00:00:00Z",
    "advisory" : "RHSA-2025:15647",
    "cpe" : "cpe:/o:redhat:rhel_aus:8.6",
    "package" : "kernel-0:4.18.0-372.160.1.el8_6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8.6 Telecommunications Update Service",
    "release_date" : "2025-09-10T00:00:00Z",
    "advisory" : "RHSA-2025:15647",
    "cpe" : "cpe:/o:redhat:rhel_tus:8.6",
    "package" : "kernel-0:4.18.0-372.160.1.el8_6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions",
    "release_date" : "2025-09-10T00:00:00Z",
    "advisory" : "RHSA-2025:15647",
    "cpe" : "cpe:/o:redhat:rhel_e4s:8.6",
    "package" : "kernel-0:4.18.0-372.160.1.el8_6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8.8 Telecommunications Update Service",
    "release_date" : "2025-09-02T00:00:00Z",
    "advisory" : "RHSA-2025:14985",
    "cpe" : "cpe:/o:redhat:rhel_tus:8.8",
    "package" : "kernel-0:4.18.0-477.108.1.el8_8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8.8 Update Services for SAP Solutions",
    "release_date" : "2025-09-02T00:00:00Z",
    "advisory" : "RHSA-2025:14985",
    "cpe" : "cpe:/o:redhat:rhel_e4s:8.8",
    "package" : "kernel-0:4.18.0-477.108.1.el8_8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2025-09-02T00:00:00Z",
    "advisory" : "RHSA-2025:15011",
    "cpe" : "cpe:/a:redhat:enterprise_linux:9",
    "package" : "kernel-0:5.14.0-570.39.1.el9_6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2025-09-02T00:00:00Z",
    "advisory" : "RHSA-2025:15011",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9",
    "package" : "kernel-0:5.14.0-570.39.1.el9_6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions",
    "release_date" : "2025-09-11T00:00:00Z",
    "advisory" : "RHSA-2025:15670",
    "cpe" : "cpe:/a:redhat:rhel_e4s:9.0",
    "package" : "kernel-0:5.14.0-70.146.1.el9_0"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions",
    "release_date" : "2025-09-10T00:00:00Z",
    "advisory" : "RHSA-2025:15658",
    "cpe" : "cpe:/a:redhat:rhel_e4s:9.0::nfv",
    "package" : "kernel-rt-0:5.14.0-70.146.1.rt21.218.el9_0"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9.2 Update Services for SAP Solutions",
    "release_date" : "2025-09-04T00:00:00Z",
    "advisory" : "RHSA-2025:15227",
    "cpe" : "cpe:/a:redhat:rhel_e4s:9.2",
    "package" : "kernel-0:5.14.0-284.136.1.el9_2"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9.2 Update Services for SAP Solutions",
    "release_date" : "2025-09-04T00:00:00Z",
    "advisory" : "RHSA-2025:15224",
    "cpe" : "cpe:/a:redhat:rhel_e4s:9.2::nfv",
    "package" : "kernel-rt-0:5.14.0-284.136.1.rt14.421.el9_2"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9.4 Extended Update Support",
    "release_date" : "2025-09-11T00:00:00Z",
    "advisory" : "RHSA-2025:15668",
    "cpe" : "cpe:/a:redhat:rhel_eus:9.4",
    "package" : "kernel-0:5.14.0-427.88.1.el9_4"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat Enterprise Linux 6",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Not affected",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Affected",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2025-38464\nhttps://nvd.nist.gov/vuln/detail/CVE-2025-38464\nhttps://lore.kernel.org/linux-cve-announce/2025072508-CVE-2025-38464-44a1@gregkh/T" ],
  "name" : "CVE-2025-38464",
  "mitigation" : {
    "value" : "To mitigate this issue, prevent module tipc from being loaded. Please see https://access.redhat.com/solutions/41278 for how to blacklist a kernel module to prevent it from loading automatically.",
    "lang" : "en:us"
  },
  "csaw" : false
}