CVE-2025-40018

Vulnerability

In the Linux kernel's IPVS subsystem, the ip_vs_ftp helper module could be unregistered during network namespace (netns) cleanup before all connections with valid cp->app pointers were flushed. This ordering issue led to a use-after-free condition when the connection cleanup code later attempted to access the already-freed app structure [1].

Exploitation

The vulnerability is triggered on the netns cleanup path. When a netns is being torn down, __ip_vs_ftp_exit() may call the unregister function for ip_vs_ftp while active connections still reference the helper. No special privileges are required beyond the ability to trigger netns cleanup (e.g., by removing a network namespace), and the attack surface is local to the kernel [1].

Impact

An attacker who can trigger netns cleanup while ip_vs_ftp connections are active could cause a use-after-free, potentially leading to memory corruption, system crash (denial of service), or possibly privilege escalation. The issue is classified as a high-severity memory safety bug [1].

Mitigation

The fix introduces a global exiting_module flag. During module exit, ip_vs_ftp is unregistered immediately; during netns cleanup, the unregister is deferred to __ip_vs_cleanup_batch(), which runs after all connections are flushed. The patch has been applied to the stable kernel tree [1][2][3]. Users should update to a patched kernel version.