{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2025-21926","assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","state":"PUBLISHED","assignerShortName":"Linux","dateReserved":"2024-12-29T08:45:45.788Z","datePublished":"2025-04-01T15:40:57.882Z","dateUpdated":"2026-05-11T21:09:12.448Z"},"containers":{"cna":{"providerMetadata":{"orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux","dateUpdated":"2026-05-11T21:09:12.448Z"},"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nnet: gso: fix ownership in __udp_gso_segment\n\nIn __udp_gso_segment the skb destructor is removed before segmenting the\nskb but the socket reference is kept as-is. This is an issue if the\noriginal skb is later orphaned as we can hit the following bug:\n\n  kernel BUG at ./include/linux/skbuff.h:3312!  (skb_orphan)\n  RIP: 0010:ip_rcv_core+0x8b2/0xca0\n  Call Trace:\n   ip_rcv+0xab/0x6e0\n   __netif_receive_skb_one_core+0x168/0x1b0\n   process_backlog+0x384/0x1100\n   __napi_poll.constprop.0+0xa1/0x370\n   net_rx_action+0x925/0xe50\n\nThe above can happen following a sequence of events when using\nOpenVSwitch, when an OVS_ACTION_ATTR_USERSPACE action precedes an\nOVS_ACTION_ATTR_OUTPUT action:\n\n1. OVS_ACTION_ATTR_USERSPACE is handled (in do_execute_actions): the skb\n   goes through queue_gso_packets and then __udp_gso_segment, where its\n   destructor is removed.\n2. The segments' data are copied and sent to userspace.\n3. OVS_ACTION_ATTR_OUTPUT is handled (in do_execute_actions) and the\n   same original skb is sent to its path.\n4. If it later hits skb_orphan, we hit the bug.\n\nFix this by also removing the reference to the socket in\n__udp_gso_segment."}],"affected":[{"product":"Linux","vendor":"Linux","defaultStatus":"unaffected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["net/ipv4/udp_offload.c"],"versions":[{"version":"ad405857b174ed31a97982bb129c320d03321cf5","lessThan":"9f28205ddb76e86cac418332e952241d85fed0dc","status":"affected","versionType":"git"},{"version":"ad405857b174ed31a97982bb129c320d03321cf5","lessThan":"a2d1cca955ed34873e524cc2e6e885450d262f05","status":"affected","versionType":"git"},{"version":"ad405857b174ed31a97982bb129c320d03321cf5","lessThan":"455217ac9db0cf9349b3933664355e907bb1a569","status":"affected","versionType":"git"},{"version":"ad405857b174ed31a97982bb129c320d03321cf5","lessThan":"e8db70537878e1bb3fd83e5abcc6feefc0587828","status":"affected","versionType":"git"},{"version":"ad405857b174ed31a97982bb129c320d03321cf5","lessThan":"01a83237644d6822bc7df2c5564fc81b0df84358","status":"affected","versionType":"git"},{"version":"ad405857b174ed31a97982bb129c320d03321cf5","lessThan":"084819b0d8b1bd433b90142371eb9450d657f8ca","status":"affected","versionType":"git"},{"version":"ad405857b174ed31a97982bb129c320d03321cf5","lessThan":"c32da44cc9298eaa6109e3fc2c2b4e07cc4bf11b","status":"affected","versionType":"git"},{"version":"ad405857b174ed31a97982bb129c320d03321cf5","lessThan":"ee01b2f2d7d0010787c2343463965bbc283a497f","status":"affected","versionType":"git"}]},{"product":"Linux","vendor":"Linux","defaultStatus":"affected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["net/ipv4/udp_offload.c"],"versions":[{"version":"4.18","status":"affected"},{"version":"0","lessThan":"4.18","status":"unaffected","versionType":"semver"},{"version":"5.4.291","lessThanOrEqual":"5.4.*","status":"unaffected","versionType":"semver"},{"version":"5.10.235","lessThanOrEqual":"5.10.*","status":"unaffected","versionType":"semver"},{"version":"5.15.179","lessThanOrEqual":"5.15.*","status":"unaffected","versionType":"semver"},{"version":"6.1.131","lessThanOrEqual":"6.1.*","status":"unaffected","versionType":"semver"},{"version":"6.6.83","lessThanOrEqual":"6.6.*","status":"unaffected","versionType":"semver"},{"version":"6.12.19","lessThanOrEqual":"6.12.*","status":"unaffected","versionType":"semver"},{"version":"6.13.7","lessThanOrEqual":"6.13.*","status":"unaffected","versionType":"semver"},{"version":"6.14","lessThanOrEqual":"*","status":"unaffected","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.18","versionEndExcluding":"5.4.291"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.18","versionEndExcluding":"5.10.235"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.18","versionEndExcluding":"5.15.179"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.18","versionEndExcluding":"6.1.131"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.18","versionEndExcluding":"6.6.83"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.18","versionEndExcluding":"6.12.19"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.18","versionEndExcluding":"6.13.7"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.18","versionEndExcluding":"6.14"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/9f28205ddb76e86cac418332e952241d85fed0dc"},{"url":"https://git.kernel.org/stable/c/a2d1cca955ed34873e524cc2e6e885450d262f05"},{"url":"https://git.kernel.org/stable/c/455217ac9db0cf9349b3933664355e907bb1a569"},{"url":"https://git.kernel.org/stable/c/e8db70537878e1bb3fd83e5abcc6feefc0587828"},{"url":"https://git.kernel.org/stable/c/01a83237644d6822bc7df2c5564fc81b0df84358"},{"url":"https://git.kernel.org/stable/c/084819b0d8b1bd433b90142371eb9450d657f8ca"},{"url":"https://git.kernel.org/stable/c/c32da44cc9298eaa6109e3fc2c2b4e07cc4bf11b"},{"url":"https://git.kernel.org/stable/c/ee01b2f2d7d0010787c2343463965bbc283a497f"}],"title":"net: gso: fix ownership in __udp_gso_segment","x_generator":{"engine":"bippy-1.2.0"}},"adp":[{"title":"CVE Program Container","references":[{"url":"https://lists.debian.org/debian-lts-announce/2025/05/msg00045.html"},{"url":"https://lists.debian.org/debian-lts-announce/2025/05/msg00030.html"}],"providerMetadata":{"orgId":"af854a3a-2127-422b-91ae-364da2661108","shortName":"CVE","dateUpdated":"2025-11-03T19:39:23.706Z"}}]}}