Acknowledged
Created: Jul 10, 2025
Updated: Jul 14, 2025
Found In Version: 10.23.30.1
Severity: Standard
Applicable for: Wind River Linux LTS 23
Component/s: Kernel
In the Linux kernel, the following vulnerability has been resolved:EOL][EOL]net: tipc: fix refcount warning in tipc_aead_encrypt[EOL][EOL]syzbot reported a refcount warning [1] caused by calling get_net() on[EOL]a network namespace that is being destroyed (refcount=0). This happens[EOL]when a TIPC discovery timer fires during network namespace cleanup.[EOL][EOL]The recently added get_net() call in commit e279024617134 ("net/tipc:[EOL]fix slab-use-after-free Read in tipc_aead_encrypt_done") attempts to[EOL]hold a reference to the network namespace. However, if the namespace[EOL]is already being destroyed, its refcount might be zero, leading to the[EOL]use-after-free warning.[EOL][EOL]Replace get_net() with maybe_get_net(), which safely checks if the[EOL]refcount is non-zero before incrementing it. If the namespace is being[EOL]destroyed, return -ENODEV early, after releasing the bearer reference.[EOL][EOL][1]: https://lore.kernel.org/all/68342b55.a70a0220.253bc2.0091.GAE@google.com/T/#m12019cf9ae77e1954f666914640efa36d52704a2
CREATE(Triage):(User=admin) [CVE-2025-38273 (https://nvd.nist.gov/vuln/detail/CVE-2025-38273)
