{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2025-40018","assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","state":"PUBLISHED","assignerShortName":"Linux","dateReserved":"2025-04-16T07:20:57.152Z","datePublished":"2025-10-24T11:44:28.955Z","dateUpdated":"2026-05-11T21:40:53.340Z"},"containers":{"cna":{"providerMetadata":{"orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux","dateUpdated":"2026-05-11T21:40:53.340Z"},"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nipvs: Defer ip_vs_ftp unregister during netns cleanup\n\nOn the netns cleanup path, __ip_vs_ftp_exit() may unregister ip_vs_ftp\nbefore connections with valid cp->app pointers are flushed, leading to a\nuse-after-free.\n\nFix this by introducing a global `exiting_module` flag, set to true in\nip_vs_ftp_exit() before unregistering the pernet subsystem. In\n__ip_vs_ftp_exit(), skip ip_vs_ftp unregister if called during netns\ncleanup (when exiting_module is false) and defer it to\n__ip_vs_cleanup_batch(), which unregisters all apps after all connections\nare flushed. If called during module exit, unregister ip_vs_ftp\nimmediately."}],"affected":[{"product":"Linux","vendor":"Linux","defaultStatus":"unaffected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["net/netfilter/ipvs/ip_vs_ftp.c"],"versions":[{"version":"61b1ab4583e275af216c8454b9256de680499b19","lessThan":"8a6ecab3847c213ce2855b0378e63ce839085de3","status":"affected","versionType":"git"},{"version":"61b1ab4583e275af216c8454b9256de680499b19","lessThan":"421b1ae1574dfdda68b835c15ac4921ec0030182","status":"affected","versionType":"git"},{"version":"61b1ab4583e275af216c8454b9256de680499b19","lessThan":"1d79471414d7b9424d699afff2aa79fff322f52d","status":"affected","versionType":"git"},{"version":"61b1ab4583e275af216c8454b9256de680499b19","lessThan":"53717f8a4347b78eac6488072ad8e5adbaff38d9","status":"affected","versionType":"git"},{"version":"61b1ab4583e275af216c8454b9256de680499b19","lessThan":"8cbe2a21d85727b66d7c591fd5d83df0d8c4f757","status":"affected","versionType":"git"},{"version":"61b1ab4583e275af216c8454b9256de680499b19","lessThan":"dc1a481359a72ee7e548f1f5da671282a7c13b8f","status":"affected","versionType":"git"},{"version":"61b1ab4583e275af216c8454b9256de680499b19","lessThan":"a343811ef138a265407167294275201621e9ebb2","status":"affected","versionType":"git"},{"version":"61b1ab4583e275af216c8454b9256de680499b19","lessThan":"134121bfd99a06d44ef5ba15a9beb075297c0821","status":"affected","versionType":"git"}]},{"product":"Linux","vendor":"Linux","defaultStatus":"affected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["net/netfilter/ipvs/ip_vs_ftp.c"],"versions":[{"version":"2.6.39","status":"affected"},{"version":"0","lessThan":"2.6.39","status":"unaffected","versionType":"semver"},{"version":"5.4.301","lessThanOrEqual":"5.4.*","status":"unaffected","versionType":"semver"},{"version":"5.10.246","lessThanOrEqual":"5.10.*","status":"unaffected","versionType":"semver"},{"version":"5.15.195","lessThanOrEqual":"5.15.*","status":"unaffected","versionType":"semver"},{"version":"6.1.156","lessThanOrEqual":"6.1.*","status":"unaffected","versionType":"semver"},{"version":"6.6.112","lessThanOrEqual":"6.6.*","status":"unaffected","versionType":"semver"},{"version":"6.12.53","lessThanOrEqual":"6.12.*","status":"unaffected","versionType":"semver"},{"version":"6.17.3","lessThanOrEqual":"6.17.*","status":"unaffected","versionType":"semver"},{"version":"6.18","lessThanOrEqual":"*","status":"unaffected","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"2.6.39","versionEndExcluding":"5.4.301"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"2.6.39","versionEndExcluding":"5.10.246"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"2.6.39","versionEndExcluding":"5.15.195"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"2.6.39","versionEndExcluding":"6.1.156"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"2.6.39","versionEndExcluding":"6.6.112"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"2.6.39","versionEndExcluding":"6.12.53"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"2.6.39","versionEndExcluding":"6.17.3"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"2.6.39","versionEndExcluding":"6.18"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/8a6ecab3847c213ce2855b0378e63ce839085de3"},{"url":"https://git.kernel.org/stable/c/421b1ae1574dfdda68b835c15ac4921ec0030182"},{"url":"https://git.kernel.org/stable/c/1d79471414d7b9424d699afff2aa79fff322f52d"},{"url":"https://git.kernel.org/stable/c/53717f8a4347b78eac6488072ad8e5adbaff38d9"},{"url":"https://git.kernel.org/stable/c/8cbe2a21d85727b66d7c591fd5d83df0d8c4f757"},{"url":"https://git.kernel.org/stable/c/dc1a481359a72ee7e548f1f5da671282a7c13b8f"},{"url":"https://git.kernel.org/stable/c/a343811ef138a265407167294275201621e9ebb2"},{"url":"https://git.kernel.org/stable/c/134121bfd99a06d44ef5ba15a9beb075297c0821"}],"title":"ipvs: Defer ip_vs_ftp unregister during netns cleanup","x_generator":{"engine":"bippy-1.2.0"}}}}