CVE-2025-40170

Vulnerability

Analysis

This vulnerability is a race condition in the Linux kernel's networking stack. The functions sk_setup_caps(), sk_dst_gso_max_size(), ip6_dst_mtu_maybe_forward(), ip_dst_mtu_maybe_forward(), and ip4_dst_hoplimit() access the dst->dev field without proper synchronization. This can lead to a use-after-free if the device is removed while these functions are executing, as the dst entry may still reference a freed dev after it has been freed [1].

Exploitation

An attacker would need to trigger this race condition by causing a network namespace or device to be removed while concurrent network operations are in progress. The attack requires the ability to trigger device removal (e.g., via netlink or namespace deletion) while other threads are performing socket operations that call the affected functions. No special privileges beyond the ability to manage network devices are needed, though the race window is narrow [1].

Impact

Successful exploitation could allow an attacker to cause a use-after-free, leading to a kernel crash (denial of service) or potentially arbitrary code execution in kernel context. The impact is system-wide, as the networking stack is core to kernel operation [1].

Mitigation

The fix introduces RCU (Read-Copy-Update) protection for dst->dev accesses in the affected functions. The patch has been applied to the Linux kernel stable tree. Users should update to a kernel version containing this commit [1].