| { |
| "containers": { |
| "cna": { |
| "providerMetadata": { |
| "orgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038" |
| }, |
| "descriptions": [ |
| { |
| "lang": "en", |
| "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: gso: fix ownership in __udp_gso_segment\n\nIn __udp_gso_segment the skb destructor is removed before segmenting the\nskb but the socket reference is kept as-is. This is an issue if the\noriginal skb is later orphaned as we can hit the following bug:\n\n kernel BUG at ./include/linux/skbuff.h:3312! (skb_orphan)\n RIP: 0010:ip_rcv_core+0x8b2/0xca0\n Call Trace:\n ip_rcv+0xab/0x6e0\n __netif_receive_skb_one_core+0x168/0x1b0\n process_backlog+0x384/0x1100\n __napi_poll.constprop.0+0xa1/0x370\n net_rx_action+0x925/0xe50\n\nThe above can happen following a sequence of events when using\nOpenVSwitch, when an OVS_ACTION_ATTR_USERSPACE action precedes an\nOVS_ACTION_ATTR_OUTPUT action:\n\n1. OVS_ACTION_ATTR_USERSPACE is handled (in do_execute_actions): the skb\n goes through queue_gso_packets and then __udp_gso_segment, where its\n destructor is removed.\n2. The segments' data are copied and sent to userspace.\n3. OVS_ACTION_ATTR_OUTPUT is handled (in do_execute_actions) and the\n same original skb is sent to its path.\n4. If it later hits skb_orphan, we hit the bug.\n\nFix this by also removing the reference to the socket in\n__udp_gso_segment." |
| } |
| ], |
| "affected": [ |
| { |
| "product": "Linux", |
| "vendor": "Linux", |
| "defaultStatus": "unaffected", |
| "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", |
| "programFiles": [ |
| "net/ipv4/udp_offload.c" |
| ], |
| "versions": [ |
| { |
| "version": "ad405857b174ed31a97982bb129c320d03321cf5", |
| "lessThan": "9f28205ddb76e86cac418332e952241d85fed0dc", |
| "status": "affected", |
| "versionType": "git" |
| }, |
| { |
| "version": "ad405857b174ed31a97982bb129c320d03321cf5", |
| "lessThan": "a2d1cca955ed34873e524cc2e6e885450d262f05", |
| "status": "affected", |
| "versionType": "git" |
| }, |
| { |
| "version": "ad405857b174ed31a97982bb129c320d03321cf5", |
| "lessThan": "455217ac9db0cf9349b3933664355e907bb1a569", |
| "status": "affected", |
| "versionType": "git" |
| }, |
| { |
| "version": "ad405857b174ed31a97982bb129c320d03321cf5", |
| "lessThan": "e8db70537878e1bb3fd83e5abcc6feefc0587828", |
| "status": "affected", |
| "versionType": "git" |
| }, |
| { |
| "version": "ad405857b174ed31a97982bb129c320d03321cf5", |
| "lessThan": "01a83237644d6822bc7df2c5564fc81b0df84358", |
| "status": "affected", |
| "versionType": "git" |
| }, |
| { |
| "version": "ad405857b174ed31a97982bb129c320d03321cf5", |
| "lessThan": "084819b0d8b1bd433b90142371eb9450d657f8ca", |
| "status": "affected", |
| "versionType": "git" |
| }, |
| { |
| "version": "ad405857b174ed31a97982bb129c320d03321cf5", |
| "lessThan": "c32da44cc9298eaa6109e3fc2c2b4e07cc4bf11b", |
| "status": "affected", |
| "versionType": "git" |
| }, |
| { |
| "version": "ad405857b174ed31a97982bb129c320d03321cf5", |
| "lessThan": "ee01b2f2d7d0010787c2343463965bbc283a497f", |
| "status": "affected", |
| "versionType": "git" |
| } |
| ] |
| }, |
| { |
| "product": "Linux", |
| "vendor": "Linux", |
| "defaultStatus": "affected", |
| "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", |
| "programFiles": [ |
| "net/ipv4/udp_offload.c" |
| ], |
| "versions": [ |
| { |
| "version": "4.18", |
| "status": "affected" |
| }, |
| { |
| "version": "0", |
| "lessThan": "4.18", |
| "status": "unaffected", |
| "versionType": "semver" |
| }, |
| { |
| "version": "5.4.291", |
| "lessThanOrEqual": "5.4.*", |
| "status": "unaffected", |
| "versionType": "semver" |
| }, |
| { |
| "version": "5.10.235", |
| "lessThanOrEqual": "5.10.*", |
| "status": "unaffected", |
| "versionType": "semver" |
| }, |
| { |
| "version": "5.15.179", |
| "lessThanOrEqual": "5.15.*", |
| "status": "unaffected", |
| "versionType": "semver" |
| }, |
| { |
| "version": "6.1.131", |
| "lessThanOrEqual": "6.1.*", |
| "status": "unaffected", |
| "versionType": "semver" |
| }, |
| { |
| "version": "6.6.83", |
| "lessThanOrEqual": "6.6.*", |
| "status": "unaffected", |
| "versionType": "semver" |
| }, |
| { |
| "version": "6.12.19", |
| "lessThanOrEqual": "6.12.*", |
| "status": "unaffected", |
| "versionType": "semver" |
| }, |
| { |
| "version": "6.13.7", |
| "lessThanOrEqual": "6.13.*", |
| "status": "unaffected", |
| "versionType": "semver" |
| }, |
| { |
| "version": "6.14", |
| "lessThanOrEqual": "*", |
| "status": "unaffected", |
| "versionType": "original_commit_for_fix" |
| } |
| ] |
| } |
| ], |
| "cpeApplicability": [ |
| { |
| "nodes": [ |
| { |
| "operator": "OR", |
| "negate": false, |
| "cpeMatch": [ |
| { |
| "vulnerable": true, |
| "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", |
| "versionStartIncluding": "4.18", |
| "versionEndExcluding": "5.4.291" |
| }, |
| { |
| "vulnerable": true, |
| "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", |
| "versionStartIncluding": "4.18", |
| "versionEndExcluding": "5.10.235" |
| }, |
| { |
| "vulnerable": true, |
| "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", |
| "versionStartIncluding": "4.18", |
| "versionEndExcluding": "5.15.179" |
| }, |
| { |
| "vulnerable": true, |
| "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", |
| "versionStartIncluding": "4.18", |
| "versionEndExcluding": "6.1.131" |
| }, |
| { |
| "vulnerable": true, |
| "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", |
| "versionStartIncluding": "4.18", |
| "versionEndExcluding": "6.6.83" |
| }, |
| { |
| "vulnerable": true, |
| "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", |
| "versionStartIncluding": "4.18", |
| "versionEndExcluding": "6.12.19" |
| }, |
| { |
| "vulnerable": true, |
| "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", |
| "versionStartIncluding": "4.18", |
| "versionEndExcluding": "6.13.7" |
| }, |
| { |
| "vulnerable": true, |
| "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", |
| "versionStartIncluding": "4.18", |
| "versionEndExcluding": "6.14" |
| } |
| ] |
| } |
| ] |
| } |
| ], |
| "references": [ |
| { |
| "url": "https://git.kernel.org/stable/c/9f28205ddb76e86cac418332e952241d85fed0dc" |
| }, |
| { |
| "url": "https://git.kernel.org/stable/c/a2d1cca955ed34873e524cc2e6e885450d262f05" |
| }, |
| { |
| "url": "https://git.kernel.org/stable/c/455217ac9db0cf9349b3933664355e907bb1a569" |
| }, |
| { |
| "url": "https://git.kernel.org/stable/c/e8db70537878e1bb3fd83e5abcc6feefc0587828" |
| }, |
| { |
| "url": "https://git.kernel.org/stable/c/01a83237644d6822bc7df2c5564fc81b0df84358" |
| }, |
| { |
| "url": "https://git.kernel.org/stable/c/084819b0d8b1bd433b90142371eb9450d657f8ca" |
| }, |
| { |
| "url": "https://git.kernel.org/stable/c/c32da44cc9298eaa6109e3fc2c2b4e07cc4bf11b" |
| }, |
| { |
| "url": "https://git.kernel.org/stable/c/ee01b2f2d7d0010787c2343463965bbc283a497f" |
| } |
| ], |
| "title": "net: gso: fix ownership in __udp_gso_segment", |
| "x_generator": { |
| "engine": "bippy-1.2.0" |
| } |
| } |
| }, |
| "cveMetadata": { |
| "assignerOrgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038", |
| "cveID": "CVE-2025-21926", |
| "requesterUserId": "gregkh@kernel.org", |
| "serial": "1", |
| "state": "PUBLISHED" |
| }, |
| "dataType": "CVE_RECORD", |
| "dataVersion": "5.0" |
| } |
