CVE-2025-40256
Description
In the Linux kernel, the following vulnerability has been resolved:
xfrm: also call xfrm_state_delete_tunnel at destroy time for states that were never added
In commit b441cf3f8c4b ("xfrm: delete x->tunnel as we delete x"), I missed the case where state creation fails between full initialization (->init_state has been called) and being inserted on the lists.
In this situation, ->init_state has been called, so for IPcomp tunnels, the fallback tunnel has been created and added onto the lists, but the user state never gets added, because we fail before that. The user state doesn't go through __xfrm_state_delete, so we don't call xfrm_state_delete_tunnel for those states, and we end up leaking the FB tunnel.
There are several codepaths affected by this: the add/update paths, in both net/key and xfrm, and the migrate code (xfrm_migrate, xfrm_state_migrate). A "proper" rollback of the init_state work would probably be doable in the add/update code, but for migrate it gets more complicated as multiple states may be involved.
At some point, the new (not-inserted) state will be destroyed, so call xfrm_state_delete_tunnel during xfrm_state_gc_destroy. Most states will have their fallback tunnel cleaned up during __xfrm_state_delete, which solves the issue that b441cf3f8c4b (and other patches before it) aimed at. All states (including FB tunnels) will be removed from the lists once xfrm_state_fini has called flush_work(&xfrm_state_gc_work).
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
In the Linux kernel, a memory leak in xfrm occurs when state creation fails after init, leaving IPcomp fallback tunnels uncleaned.
Vulnerability
Description
The Linux kernel's xfrm subsystem has a memory leak vulnerability. When state creation fails after ->init_state has been called but before the state is inserted into the lists (e.g., in add/update or migrate operations), the fallback tunnel for IPcomp is not properly cleaned up. This happens because xfrm_state_delete_tunnel is not called for states that were never added to the lists, a scenario missed in a previous fix [1].
Attack
Scenario
The vulnerability can be triggered via netlink key management or xfrm operations that cause state creation to fail after initialization. An attacker with local access and the ability to manipulate xfrm states (e.g., via netlink socket) can exploit this by repeatedly causing state creation failures, leading to accumulation of leaked tunnel memory.
Impact
Successful exploitation results in a memory leak of IPcomp fallback tunnel structures. While each leaked tunnel is relatively small, repeated exploitation can exhaust system memory, potentially leading to denial of service (system instability or crash).
Mitigation
The fix is included in Linux kernel stable updates. The patch ensures that xfrm_state_delete_tunnel is called during garbage collection for states that were never added to the lists, cleaning up the fallback tunnels. The fix has been applied to multiple stable kernel branches [1][2][3].
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2Patches
757b72d74d4651dad653643f264441724387b763e5c351206f7d879c19d30d6fe5c740c5710deb6986484Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
7- git.kernel.org/stable/c/10deb69864840ccf96b00ac2ab3a2055c0c04721nvd
- git.kernel.org/stable/c/1dad653643f28ccc89be93f9440b8804cded85b2nvd
- git.kernel.org/stable/c/57b72d74d4651dc19d046308a8304eb9abfe66acnvd
- git.kernel.org/stable/c/64441724387b4ac92f67ef51caaaeffe99c950d1nvd
- git.kernel.org/stable/c/763e5c351206c1e4d910db4a1159053f6263689cnvd
- git.kernel.org/stable/c/d6fe5c740c573af10943b8353992e1325cdb2715nvd
- git.kernel.org/stable/c/f7d879c19d306512c2e260f37e8a3e5c85e37c50nvd
News mentions
0No linked articles in our index yet.