CVE-2025-40215

Vulnerability

Overview

CVE-2025-40215 is a vulnerability in the Linux kernel's IPsec (xfrm) subsystem. The root cause is that IPcomp fallback tunnels (x->tunnel) are not deleted from the kernel's internal lists and hashtables when the corresponding user state is deleted; instead, they are only removed when the last reference to that user state is dropped. If a reference (e.g., from an skb with a secpath) persists, the fallback state remains on the hashtables, triggering a WARN in xfrm_state_fini during network namespace destruction [1][2].

Exploitation

Conditions

An attacker does not directly trigger this bug; it is a kernel resource management flaw. The issue manifests when skbs carrying a secpath are not freed promptly—for example, due to deferred TCP skb freeing (fixed in commit 9b6412e6979f) or IP reassembly queues that are not flushed before netns exit [1]. Any scenario where a reference to an xfrm state outlives the state's deletion can cause the fallback tunnel to linger.

Impact

If the fallback state remains on the hashtables, the kernel triggers a WARN (a kernel warning) during network namespace shutdown. While this does not directly lead to arbitrary code execution, it indicates a kernel state inconsistency that could be leveraged for denial-of-service (system crash or hang) or potentially other undefined behavior. The vulnerability undermines the completeness of a prior fix (commit f75a2804da39) that aimed to synchronously destroy xfrm states on netns exit [1].

Mitigation

The fix, applied in the Linux kernel stable tree, ensures that when a user xfrm state is deleted, its associated fallback tunnel (x->tunnel) is also deleted immediately from all lists and hashtables. A separate lockdep class is introduced for the fallback state to avoid lock ordering issues [1][2][3][4]. Users should apply the latest stable kernel updates containing this commit. No workaround is available; the issue is resolved only by patching.