CVE-2025-40175

A vulnerability in the Linux kernel's idpf driver occurs when PTP (Precision Time Protocol) timestamp requests are processed. The driver correctly clones SKBs using skb_get to increase the reference counter and prevent premature freeing. However, if a device reset occurs while PTP flows are active, the cloned SKBs assigned to Tx timestamp latches may never be consumed, leaving them unreleased and causing a memory leak [1].

To trigger this issue, an attacker would need to be able to induce a reset on the interface while PTP timestamping is in use. This could be achieved through local access or by causing a reset condition. The vulnerability is present in kernel versions where the idpf driver includes PTP support and the reset handling does not clean up pending timestamp SKBs [2].

The impact is a memory leak that can degrade system performance and stability over time. Each unreleased SKB consumes kernel memory, and repeated resets or continuous PTP usage could accumulate significant leakage, potentially leading to denial of service.

The fix, introduced in the Linux kernel mainline and backported to stable releases, adds a check in the release timestamping function to verify if the SKB assigned to the Tx timestamp latch was freed, and releases any remaining SKBs [1][2]. Users should update to a kernel version containing the patch. No workaround is documented.