CVE-2025-39852

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> net/tcp: Fix socket memory leak in TCP-AO failure handling for IPv6<br /> <br /> When tcp_ao_copy_all_matching() fails in tcp_v6_syn_recv_sock() it just<br /> exits the function. This ends up causing a memory-leak:<br /> <br /> unreferenced object 0xffff0000281a8200 (size 2496):<br /> comm "softirq", pid 0, jiffies 4295174684<br /> hex dump (first 32 bytes):<br /> 7f 00 00 06 7f 00 00 06 00 00 00 00 cb a8 88 13 ................<br /> 0a 00 03 61 00 00 00 00 00 00 00 00 00 00 00 00 ...a............<br /> backtrace (crc 5ebdbe15):<br /> kmemleak_alloc+0x44/0xe0<br /> kmem_cache_alloc_noprof+0x248/0x470<br /> sk_prot_alloc+0x48/0x120<br /> sk_clone_lock+0x38/0x3b0<br /> inet_csk_clone_lock+0x34/0x150<br /> tcp_create_openreq_child+0x3c/0x4a8<br /> tcp_v6_syn_recv_sock+0x1c0/0x620<br /> tcp_check_req+0x588/0x790<br /> tcp_v6_rcv+0x5d0/0xc18<br /> ip6_protocol_deliver_rcu+0x2d8/0x4c0<br /> ip6_input_finish+0x74/0x148<br /> ip6_input+0x50/0x118<br /> ip6_sublist_rcv+0x2fc/0x3b0<br /> ipv6_list_rcv+0x114/0x170<br /> __netif_receive_skb_list_core+0x16c/0x200<br /> netif_receive_skb_list_internal+0x1f0/0x2d0<br /> <br /> This is because in tcp_v6_syn_recv_sock (and the IPv4 counterpart), when<br /> exiting upon error, inet_csk_prepare_forced_close() and tcp_done() need<br /> to be called. They make sure the newsk will end up being correctly<br /> free&amp;#39;d.<br /> <br /> tcp_v4_syn_recv_sock() makes this very clear by having the put_and_exit<br /> label that takes care of things. So, this patch here makes sure<br /> tcp_v4_syn_recv_sock and tcp_v6_syn_recv_sock have similar<br /> error-handling and thus fixes the leak for TCP-AO.