CVE-2025-21926

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> net: gso: fix ownership in __udp_gso_segment<br /> <br /> In __udp_gso_segment the skb destructor is removed before segmenting the<br /> skb but the socket reference is kept as-is. This is an issue if the<br /> original skb is later orphaned as we can hit the following bug:<br /> <br /> kernel BUG at ./include/linux/skbuff.h:3312! (skb_orphan)<br /> RIP: 0010:ip_rcv_core+0x8b2/0xca0<br /> Call Trace:<br /> ip_rcv+0xab/0x6e0<br /> __netif_receive_skb_one_core+0x168/0x1b0<br /> process_backlog+0x384/0x1100<br /> __napi_poll.constprop.0+0xa1/0x370<br /> net_rx_action+0x925/0xe50<br /> <br /> The above can happen following a sequence of events when using<br /> OpenVSwitch, when an OVS_ACTION_ATTR_USERSPACE action precedes an<br /> OVS_ACTION_ATTR_OUTPUT action:<br /> <br /> 1. OVS_ACTION_ATTR_USERSPACE is handled (in do_execute_actions): the skb<br /> goes through queue_gso_packets and then __udp_gso_segment, where its<br /> destructor is removed.<br /> 2. The segments&amp;#39; data are copied and sent to userspace.<br /> 3. OVS_ACTION_ATTR_OUTPUT is handled (in do_execute_actions) and the<br /> same original skb is sent to its path.<br /> 4. If it later hits skb_orphan, we hit the bug.<br /> <br /> Fix this by also removing the reference to the socket in<br /> __udp_gso_segment.