{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2025-21884","assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","state":"PUBLISHED","assignerShortName":"Linux","dateReserved":"2024-12-29T08:45:45.782Z","datePublished":"2025-03-27T14:57:12.486Z","dateUpdated":"2026-05-11T21:08:23.279Z"},"containers":{"cna":{"providerMetadata":{"orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux","dateUpdated":"2026-05-11T21:08:23.279Z"},"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nnet: better track kernel sockets lifetime\n\nWhile kernel sockets are dismantled during pernet_operations->exit(),\ntheir freeing can be delayed by any tx packets still held in qdisc\nor device queues, due to skb_set_owner_w() prior calls.\n\nThis then trigger the following warning from ref_tracker_dir_exit() [1]\n\nTo fix this, make sure that kernel sockets own a reference on net->passive.\n\nAdd sk_net_refcnt_upgrade() helper, used whenever a kernel socket\nis converted to a refcounted one.\n\n[1]\n\n[  136.263918][   T35] ref_tracker: net notrefcnt@ffff8880638f01e0 has 1/2 users at\n[  136.263918][   T35]      sk_alloc+0x2b3/0x370\n[  136.263918][   T35]      inet6_create+0x6ce/0x10f0\n[  136.263918][   T35]      __sock_create+0x4c0/0xa30\n[  136.263918][   T35]      inet_ctl_sock_create+0xc2/0x250\n[  136.263918][   T35]      igmp6_net_init+0x39/0x390\n[  136.263918][   T35]      ops_init+0x31e/0x590\n[  136.263918][   T35]      setup_net+0x287/0x9e0\n[  136.263918][   T35]      copy_net_ns+0x33f/0x570\n[  136.263918][   T35]      create_new_namespaces+0x425/0x7b0\n[  136.263918][   T35]      unshare_nsproxy_namespaces+0x124/0x180\n[  136.263918][   T35]      ksys_unshare+0x57d/0xa70\n[  136.263918][   T35]      __x64_sys_unshare+0x38/0x40\n[  136.263918][   T35]      do_syscall_64+0xf3/0x230\n[  136.263918][   T35]      entry_SYSCALL_64_after_hwframe+0x77/0x7f\n[  136.263918][   T35]\n[  136.343488][   T35] ref_tracker: net notrefcnt@ffff8880638f01e0 has 1/2 users at\n[  136.343488][   T35]      sk_alloc+0x2b3/0x370\n[  136.343488][   T35]      inet6_create+0x6ce/0x10f0\n[  136.343488][   T35]      __sock_create+0x4c0/0xa30\n[  136.343488][   T35]      inet_ctl_sock_create+0xc2/0x250\n[  136.343488][   T35]      ndisc_net_init+0xa7/0x2b0\n[  136.343488][   T35]      ops_init+0x31e/0x590\n[  136.343488][   T35]      setup_net+0x287/0x9e0\n[  136.343488][   T35]      copy_net_ns+0x33f/0x570\n[  136.343488][   T35]      create_new_namespaces+0x425/0x7b0\n[  136.343488][   T35]      unshare_nsproxy_namespaces+0x124/0x180\n[  136.343488][   T35]      ksys_unshare+0x57d/0xa70\n[  136.343488][   T35]      __x64_sys_unshare+0x38/0x40\n[  136.343488][   T35]      do_syscall_64+0xf3/0x230\n[  136.343488][   T35]      entry_SYSCALL_64_after_hwframe+0x77/0x7f"}],"affected":[{"product":"Linux","vendor":"Linux","defaultStatus":"unaffected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["include/net/sock.h","net/core/sock.c","net/mptcp/subflow.c","net/netlink/af_netlink.c","net/rds/tcp.c","net/smc/af_smc.c","net/sunrpc/svcsock.c","net/sunrpc/xprtsock.c"],"versions":[{"version":"0cafd77dcd032d1687efaba5598cf07bce85997f","lessThan":"2668e038800b946d269f96ec1b258c01930a242c","status":"affected","versionType":"git"},{"version":"0cafd77dcd032d1687efaba5598cf07bce85997f","lessThan":"4ceb0bd4ffd009821b585ce6a8033b12b59fb5fb","status":"affected","versionType":"git"},{"version":"0cafd77dcd032d1687efaba5598cf07bce85997f","lessThan":"c31a732fac46b00b95b78fcc9c37cb48dd6f2e0c","status":"affected","versionType":"git"},{"version":"0cafd77dcd032d1687efaba5598cf07bce85997f","lessThan":"5c70eb5c593d64d93b178905da215a9fd288a4b5","status":"affected","versionType":"git"}]},{"product":"Linux","vendor":"Linux","defaultStatus":"affected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["include/net/sock.h","net/core/sock.c","net/mptcp/subflow.c","net/netlink/af_netlink.c","net/rds/tcp.c","net/smc/af_smc.c","net/sunrpc/svcsock.c","net/sunrpc/xprtsock.c"],"versions":[{"version":"6.2","status":"affected"},{"version":"0","lessThan":"6.2","status":"unaffected","versionType":"semver"},{"version":"6.6.103","lessThanOrEqual":"6.6.*","status":"unaffected","versionType":"semver"},{"version":"6.12.43","lessThanOrEqual":"6.12.*","status":"unaffected","versionType":"semver"},{"version":"6.13.6","lessThanOrEqual":"6.13.*","status":"unaffected","versionType":"semver"},{"version":"6.14","lessThanOrEqual":"*","status":"unaffected","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.2","versionEndExcluding":"6.6.103"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.2","versionEndExcluding":"6.12.43"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.2","versionEndExcluding":"6.13.6"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.2","versionEndExcluding":"6.14"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/2668e038800b946d269f96ec1b258c01930a242c"},{"url":"https://git.kernel.org/stable/c/4ceb0bd4ffd009821b585ce6a8033b12b59fb5fb"},{"url":"https://git.kernel.org/stable/c/c31a732fac46b00b95b78fcc9c37cb48dd6f2e0c"},{"url":"https://git.kernel.org/stable/c/5c70eb5c593d64d93b178905da215a9fd288a4b5"}],"title":"net: better track kernel sockets lifetime","x_generator":{"engine":"bippy-1.2.0"}}}}