CVE-2025-40186
Description
In the Linux kernel, the following vulnerability has been resolved:
tcp: Don't call reqsk_fastopen_remove() in tcp_conn_request().
syzbot reported the splat below in tcp_conn_request(). [0]
If a listener is close()d while a TFO socket is being processed in tcp_conn_request(), inet_csk_reqsk_queue_add() does not set reqsk->sk and calls inet_child_forget(), which calls tcp_disconnect() for the TFO socket.
After the cited commit, tcp_disconnect() calls reqsk_fastopen_remove(), where reqsk_put() is called due to !reqsk->sk.
Then, reqsk_fastopen_remove() in tcp_conn_request() decrements the last req->rsk_refcnt and frees reqsk, and __reqsk_free() at the drop_and_free label causes the refcount underflow for the listener and double-free of the reqsk.
Let's remove reqsk_fastopen_remove() in tcp_conn_request().
Note that other callers make sure tp->fastopen_rsk is not NULL.
[0]: refcount_t: underflow; use-after-free. WARNING: CPU: 12 PID: 5563 at lib/refcount.c:28 refcount_warn_saturate (lib/refcount.c:28) Modules linked in: CPU: 12 UID: 0 PID: 5563 Comm: syz-executor Not tainted syzkaller #0 PREEMPT(full) Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/12/2025 RIP: 0010:refcount_warn_saturate (lib/refcount.c:28) Code: ab e8 8e b4 98 ff 0f 0b c3 cc cc cc cc cc 80 3d a4 e4 d6 01 00 75 9c c6 05 9b e4 d6 01 01 48 c7 c7 e8 df fb ab e8 6a b4 98 ff <0f> 0b e9 03 5b 76 00 cc 80 3d 7d e4 d6 01 00 0f 85 74 ff ff ff c6 RSP: 0018:ffffa79fc0304a98 EFLAGS: 00010246 RAX: d83af4db1c6b3900 RBX: ffff9f65c7a69020 RCX: d83af4db1c6b3900 RDX: 0000000000000000 RSI: 00000000ffff7fff RDI: ffffffffac78a280 RBP: 000000009d781b60 R08: 0000000000007fff R09: ffffffffac6ca280 R10: 0000000000017ffd R11: 0000000000000004 R12: ffff9f65c7b4f100 R13: ffff9f65c7d23c00 R14: ffff9f65c7d26000 R15: ffff9f65c7a64ef8 FS: 00007f9f962176c0(0000) GS:ffff9f65fcf00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000200000000180 CR3: 000000000dbbe006 CR4: 0000000000372ef0 Call Trace:
tcp_conn_request (./include/linux/refcount.h:400 ./include/linux/refcount.h:432 ./include/linux/refcount.h:450 ./include/net/sock.h:1965 ./include/net/request_sock.h:131 net/ipv4/tcp_input.c:7301) tcp_rcv_state_process (net/ipv4/tcp_input.c:6708) tcp_v6_do_rcv (net/ipv6/tcp_ipv6.c:1670) tcp_v6_rcv (net/ipv6/tcp_ipv6.c:1906) ip6_protocol_deliver_rcu (net/ipv6/ip6_input.c:438) ip6_input (net/ipv6/ip6_input.c:500) ipv6_rcv (net/ipv6/ip6_input.c:311) __netif_receive_skb (net/core/dev.c:6104) process_backlog (net/core/dev.c:6456) __napi_poll (net/core/dev.c:7506) net_rx_action (net/core/dev.c:7569 net/core/dev.c:7696) handle_softirqs (kernel/softirq.c:579) do_softirq (kernel/softirq.c:480)
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A reference-counting bug in the Linux kernel's TCP fast open handling can cause a use-after-free when a listening socket is closed during TFO socket processing.
Vulnerability
Overview
CVE-2025-40186 is a use-after-free vulnerability in the Linux kernel's TCP stack, specifically in the fast open (TFO) request handling. The bug occurs in tcp_conn_request() when it calls reqsk_fastopen_remove(). Under a specific race condition—where the listening socket is closed while a TFO socket is being processed—inet_csk_reqsk_queue_add() fails to set reqsk->sk, causing inet_child_forget() to call tcp_disconnect(). This call chain triggers a premature reqsk_put() and frees the request socket while tcp_conn_request() still holds a reference, leading to a refcount underflow and use-after-free [0].
Exploitation
Scenario
The vulnerability requires a race condition: an attacker must trigger a TFO connection request while simultaneously closing the listening socket from another thread or process. No special privileges are needed beyond the ability to establish TCP connections and manipulate sockets. The attack surface is local, but could be exploited from a container or unprivileged process to affect the host kernel. The bug is triggered by concurrent socket operations, making it a time-of-check/time-of-use (TOCTOU) issue.
Impact
A successful exploit results in a double-free of the request socket (reqsk) and a refcount underflow on the listener's reference count. This can crash the kernel (as evidenced by the syzbot report's refcount_t: underflow warning) or potentially lead to arbitrary code execution due to the use-after-free condition on kernel memory. The impact is denial-of-service and, in worst-case scenarios, privilege escalation.
Mitigation
The fix removes the call to reqsk_fastopen_remove() from tcp_conn_request(), preventing the double-free. The patch has been applied to the stable kernel branches as identified by commits [1], [2], and [3] (the reference links are behind an Anubis proof-of-work gate, but the commits are publicly available in the Linux stable tree). Users should update to the latest stable kernel version that includes this fix. There are no known workarounds beyond applying the patch.
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2Patches
8e359b742eac1ff6a8883f96aeb85ad5f2326643a94b0cf76422c1c173c39c11ace909e8764dc47a13aa32e7cbbbe3d61Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
8- git.kernel.org/stable/c/2e7cbbbe3d61c63606994b7ff73c72537afe2e1cnvd
- git.kernel.org/stable/c/422c1c173c39bbbae1e0eaaf8aefe40b2596233bnvd
- git.kernel.org/stable/c/643a94b0cf767325e953591c212be2eb826b9d7fnvd
- git.kernel.org/stable/c/64dc47a13aa3d9daf7cec29b44dca8e22a6aea15nvd
- git.kernel.org/stable/c/c11ace909e873118295e9eb22dc8c58b0b50eb32nvd
- git.kernel.org/stable/c/e359b742eac1eac75cff4e38ee2e8cea492acd9bnvd
- git.kernel.org/stable/c/eb85ad5f23268d64b037bfb545cbcba3752f90c7nvd
- git.kernel.org/stable/c/ff6a8883f96a5bc74241ce5b3d431a6dcfa2124dnvd
News mentions
0No linked articles in our index yet.