CVE-2025-38273

{"id": "CVE-2025-38273", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "[email protected]", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.5, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 1.8}]}, "published": "2025-07-10T08:15:25.530", "references": [{"url": "https://git.kernel.org/stable/c/307391e8fe70401a6d39ecc9978e13c2c0cdf81f", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/445d59025d76d0638b03110f8791d5b89ed5162d", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/9ff60e0d9974dccf24e89bcd3ee7933e538d929f", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/acab7ca5ff19889b80a8ee7dec220ee1a96dede9", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/c762fc79d710d676b793f9d98b1414efe6eb51e6", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/e0b11227c4e8eb4bdf1b86aa8f0f3abb24e0f029", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/f29ccaa07cf3d35990f4d25028cc55470d29372b", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html", "tags": ["Third Party Advisory", "Mailing List"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html", "tags": ["Third Party Advisory", "Mailing List"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "[email protected]", "description": [{"lang": "en", "value": "NVD-CWE-Other"}]}], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: tipc: fix refcount warning in tipc_aead_encrypt\n\nsyzbot reported a refcount warning [1] caused by calling get_net() on\na network namespace that is being destroyed (refcount=0). This happens\nwhen a TIPC discovery timer fires during network namespace cleanup.\n\nThe recently added get_net() call in commit e279024617134 (\"net/tipc:\nfix slab-use-after-free Read in tipc_aead_encrypt_done\") attempts to\nhold a reference to the network namespace. However, if the namespace\nis already being destroyed, its refcount might be zero, leading to the\nuse-after-free warning.\n\nReplace get_net() with maybe_get_net(), which safely checks if the\nrefcount is non-zero before incrementing it. If the namespace is being\ndestroyed, return -ENODEV early, after releasing the bearer reference.\n\n[1]: https://lore.kernel.org/all/[email protected]/T/#m12019cf9ae77e1954f666914640efa36d52704a2"}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: net: tipc: correcci\u00f3n de la advertencia de recuento de referencias en tipc_aead_encrypt. syzbot report\u00f3 una advertencia de recuento de referencias [1] causada por la llamada a get_net() en un espacio de nombres de red que se est\u00e1 destruyendo (recuento de referencias = 0). Esto ocurre cuando se activa un temporizador de descubrimiento de TIPC durante la limpieza del espacio de nombres de red. La llamada a get_net(), recientemente a\u00f1adida en el commit e279024617134 (\"net/tipc: correcci\u00f3n de la lectura de slab-use-after-free en tipc_aead_encrypt_done\"), intenta contener una referencia al espacio de nombres de red. Sin embargo, si el espacio de nombres ya se est\u00e1 destruyendo, su recuento de referencias podr\u00eda ser cero, lo que genera la advertencia de use-after-free. Reemplace get_net() por perhaps_get_net(), que comprueba de forma segura si el recuento de referencias es distinto de cero antes de incrementarlo. Si el espacio de nombres se est\u00e1 destruyendo, devuelva -ENODEV antes de tiempo, despu\u00e9s de liberar la referencia del portador. [1]: https://lore.kernel.org/all/[email protected]/T/#m12019cf9ae77e1954f666914640efa36d52704a2"}], "lastModified": "2025-12-18T16:58:02.433", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "D24F0A12-3789-4D0F-9D46-EC46B5EF9615", "versionEndExcluding": "6.12.34", "versionStartIncluding": "6.12.31"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "2932EEA2-2EDB-4FE6-9BF4-C1F90FF22950", "versionEndExcluding": "6.15", "versionStartIncluding": "6.14.9"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "94EFC2F0-D796-44B3-BB7E-D7800275E9AD", "versionEndExcluding": "6.15.3", "versionStartIncluding": "6.15.1"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:5.10.238:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "3F13BEF6-CA61-4A23-9CED-61663F79A4A6"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:5.15.185:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "E141EB19-F649-4D87-A508-F9B8A551E196"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.1.141:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "EE80C371-EA85-49FF-8CEB-D5CAB2E8358E"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.6.93:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "6C2C1D69-D7DD-494F-BFFC-05CEC1F3675C"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.15:-:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "A1ECC65A-EE37-4479-8E99-4BB68A22A31F"}], "operator": "OR"}]}, {"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "FA6FEEC2-9F11-4643-8827-749718254FED"}], "operator": "OR"}]}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}