{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2025-39852","assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","state":"PUBLISHED","assignerShortName":"Linux","dateReserved":"2025-04-16T07:20:57.142Z","datePublished":"2025-09-19T15:26:24.312Z","dateUpdated":"2026-05-11T21:37:41.374Z"},"containers":{"cna":{"providerMetadata":{"orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux","dateUpdated":"2026-05-11T21:37:41.374Z"},"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nnet/tcp: Fix socket memory leak in TCP-AO failure handling for IPv6\n\nWhen tcp_ao_copy_all_matching() fails in tcp_v6_syn_recv_sock() it just\nexits the function. This ends up causing a memory-leak:\n\nunreferenced object 0xffff0000281a8200 (size 2496):\n  comm \"softirq\", pid 0, jiffies 4295174684\n  hex dump (first 32 bytes):\n    7f 00 00 06 7f 00 00 06 00 00 00 00 cb a8 88 13  ................\n    0a 00 03 61 00 00 00 00 00 00 00 00 00 00 00 00  ...a............\n  backtrace (crc 5ebdbe15):\n    kmemleak_alloc+0x44/0xe0\n    kmem_cache_alloc_noprof+0x248/0x470\n    sk_prot_alloc+0x48/0x120\n    sk_clone_lock+0x38/0x3b0\n    inet_csk_clone_lock+0x34/0x150\n    tcp_create_openreq_child+0x3c/0x4a8\n    tcp_v6_syn_recv_sock+0x1c0/0x620\n    tcp_check_req+0x588/0x790\n    tcp_v6_rcv+0x5d0/0xc18\n    ip6_protocol_deliver_rcu+0x2d8/0x4c0\n    ip6_input_finish+0x74/0x148\n    ip6_input+0x50/0x118\n    ip6_sublist_rcv+0x2fc/0x3b0\n    ipv6_list_rcv+0x114/0x170\n    __netif_receive_skb_list_core+0x16c/0x200\n    netif_receive_skb_list_internal+0x1f0/0x2d0\n\nThis is because in tcp_v6_syn_recv_sock (and the IPv4 counterpart), when\nexiting upon error, inet_csk_prepare_forced_close() and tcp_done() need\nto be called. They make sure the newsk will end up being correctly\nfree'd.\n\ntcp_v4_syn_recv_sock() makes this very clear by having the put_and_exit\nlabel that takes care of things. So, this patch here makes sure\ntcp_v4_syn_recv_sock and tcp_v6_syn_recv_sock have similar\nerror-handling and thus fixes the leak for TCP-AO."}],"affected":[{"product":"Linux","vendor":"Linux","defaultStatus":"unaffected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["net/ipv6/tcp_ipv6.c"],"versions":[{"version":"06b22ef29591f625ef877ae00d82192938e29e60","lessThan":"46d33c878fc0b3d7570366b2c9912395b3f4e701","status":"affected","versionType":"git"},{"version":"06b22ef29591f625ef877ae00d82192938e29e60","lessThan":"3d2b356d994a8801acb397cafd28b13672c37ab5","status":"affected","versionType":"git"},{"version":"06b22ef29591f625ef877ae00d82192938e29e60","lessThan":"fa390321aba0a54d0f7ae95ee4ecde1358bb9234","status":"affected","versionType":"git"}]},{"product":"Linux","vendor":"Linux","defaultStatus":"affected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["net/ipv6/tcp_ipv6.c"],"versions":[{"version":"6.7","status":"affected"},{"version":"0","lessThan":"6.7","status":"unaffected","versionType":"semver"},{"version":"6.12.46","lessThanOrEqual":"6.12.*","status":"unaffected","versionType":"semver"},{"version":"6.16.6","lessThanOrEqual":"6.16.*","status":"unaffected","versionType":"semver"},{"version":"6.17","lessThanOrEqual":"*","status":"unaffected","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.7","versionEndExcluding":"6.12.46"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.7","versionEndExcluding":"6.16.6"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.7","versionEndExcluding":"6.17"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/46d33c878fc0b3d7570366b2c9912395b3f4e701"},{"url":"https://git.kernel.org/stable/c/3d2b356d994a8801acb397cafd28b13672c37ab5"},{"url":"https://git.kernel.org/stable/c/fa390321aba0a54d0f7ae95ee4ecde1358bb9234"}],"title":"net/tcp: Fix socket memory leak in TCP-AO failure handling for IPv6","x_generator":{"engine":"bippy-1.2.0"}},"adp":[{"metrics":[{"cvssV3_1":{"scope":"UNCHANGED","version":"3.1","baseScore":5.5,"attackVector":"LOCAL","baseSeverity":"MEDIUM","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","integrityImpact":"NONE","userInteraction":"NONE","attackComplexity":"LOW","availabilityImpact":"HIGH","privilegesRequired":"LOW","confidentialityImpact":"NONE"}},{"other":{"type":"ssvc","content":{"id":"CVE-2025-39852","role":"CISA Coordinator","options":[{"Exploitation":"none"},{"Automatable":"no"},{"Technical Impact":"partial"}],"version":"2.0.3","timestamp":"2026-01-14T19:21:28.643713Z"}}}],"problemTypes":[{"descriptions":[{"lang":"en","type":"CWE","cweId":"CWE-401","description":"CWE-401 Missing Release of Memory after Effective Lifetime"}]}],"title":"CISA ADP Vulnrichment","providerMetadata":{"orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP","dateUpdated":"2026-01-14T19:23:12.597Z"}}]}}