In the Linux kernel, the following vulnerability has been resolved:
bpf: Fix bpfskselect_reuseport() memory leak
As pointed out in the original comment, lookup in sockmap can return a TCP ESTABLISHED socket. Such TCP socket may have had SOATTACHREUSEPORTEBPF set before it was ESTABLISHED. In other words, a non-NULL skreuseport_cb does not imply a non-refcounted socket.
Drop sk's reference in both error paths.
unreferenced object 0xffff888101911800 (size 2048): comm "testprogs", pid 44109, jiffies 4297131437 hex dump (first 32 bytes): 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 80 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ backtrace (crc 9336483b): _kmallocnoprof+0x3bf/0x560 _reuseportalloc+0x1d/0x40 reuseportalloc+0xca/0x150 reuseportattachprog+0x87/0x140 skreuseportattachbpf+0xc8/0x100 sksetsockopt+0x1181/0x1990 dosocksetsockopt+0x12b/0x160 _syssetsockopt+0x7b/0xc0 _x64syssetsockopt+0x1b/0x30 dosyscall64+0x93/0x180 entrySYSCALL64after_hwframe+0x76/0x7e
[
{
"signature_type": "Line",
"digest": {
"line_hashes": [
"154258556468190346270875058781561268697",
"32430229466821103156823661038008149618",
"329898687418735071643987725715150495584",
"162144540841924407359912917464235019280",
"68968553562007179966880806998146147765",
"136607511567005387391750472474640767982",
"311648761100879095704785090761619014040",
"218654179486406075685412184751421224551",
"102012816502291746294504238907796966378",
"225029225627300486843124974488145297730",
"86178669046148470820022107382175469615",
"175402430817074220808843524622700778555",
"43741114883150839463206579965746058306",
"191950034273216088885493210340889617418",
"281339671622038251223409921791447758919",
"300976932869448935789108595399239621201",
"275275192418784719350806119344121989767",
"151603411590419750986375127902416085971",
"47460717487354933432461158944715205276",
"8067182137596524261603235072509859945",
"120683875347674807678476645967590079763"
],
"threshold": 0.9
},
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@bb36838dac7bb334a3f3d7eb29875593ec9473fc",
"deprecated": false,
"id": "CVE-2025-21683-4cca3301",
"signature_version": "v1",
"target": {
"file": "net/core/filter.c"
}
},
{
"signature_type": "Line",
"digest": {
"line_hashes": [
"154258556468190346270875058781561268697",
"32430229466821103156823661038008149618",
"329898687418735071643987725715150495584",
"162144540841924407359912917464235019280",
"68968553562007179966880806998146147765",
"136607511567005387391750472474640767982",
"311648761100879095704785090761619014040",
"218654179486406075685412184751421224551",
"102012816502291746294504238907796966378",
"225029225627300486843124974488145297730",
"86178669046148470820022107382175469615",
"175402430817074220808843524622700778555",
"43741114883150839463206579965746058306",
"191950034273216088885493210340889617418",
"281339671622038251223409921791447758919",
"300976932869448935789108595399239621201",
"275275192418784719350806119344121989767",
"151603411590419750986375127902416085971",
"47460717487354933432461158944715205276",
"8067182137596524261603235072509859945",
"120683875347674807678476645967590079763"
],
"threshold": 0.9
},
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@0ab52a8ca6e156a64c51b5e7456cac9a0ebfd9bf",
"deprecated": false,
"id": "CVE-2025-21683-5d6433af",
"signature_version": "v1",
"target": {
"file": "net/core/filter.c"
}
},
{
"signature_type": "Line",
"digest": {
"line_hashes": [
"154258556468190346270875058781561268697",
"32430229466821103156823661038008149618",
"329898687418735071643987725715150495584",
"162144540841924407359912917464235019280",
"68968553562007179966880806998146147765",
"136607511567005387391750472474640767982",
"311648761100879095704785090761619014040",
"218654179486406075685412184751421224551",
"102012816502291746294504238907796966378",
"225029225627300486843124974488145297730",
"86178669046148470820022107382175469615",
"175402430817074220808843524622700778555",
"43741114883150839463206579965746058306",
"191950034273216088885493210340889617418",
"281339671622038251223409921791447758919",
"300976932869448935789108595399239621201",
"275275192418784719350806119344121989767",
"151603411590419750986375127902416085971",
"47460717487354933432461158944715205276",
"8067182137596524261603235072509859945",
"120683875347674807678476645967590079763"
],
"threshold": 0.9
},
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@b3af60928ab9129befa65e6df0310d27300942bf",
"deprecated": false,
"id": "CVE-2025-21683-630575fa",
"signature_version": "v1",
"target": {
"file": "net/core/filter.c"
}
},
{
"signature_type": "Function",
"digest": {
"length": 707.0,
"function_hash": "257243126272101346842061801807977697712"
},
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@cccd51dd22574216e64e5d205489e634f86999f3",
"deprecated": false,
"id": "CVE-2025-21683-73cf44af",
"signature_version": "v1",
"target": {
"function": "BPF_CALL_4",
"file": "net/core/filter.c"
}
},
{
"signature_type": "Line",
"digest": {
"line_hashes": [
"154258556468190346270875058781561268697",
"32430229466821103156823661038008149618",
"329898687418735071643987725715150495584",
"162144540841924407359912917464235019280",
"68968553562007179966880806998146147765",
"136607511567005387391750472474640767982",
"311648761100879095704785090761619014040",
"218654179486406075685412184751421224551",
"102012816502291746294504238907796966378",
"225029225627300486843124974488145297730",
"86178669046148470820022107382175469615",
"175402430817074220808843524622700778555",
"43741114883150839463206579965746058306",
"191950034273216088885493210340889617418",
"281339671622038251223409921791447758919",
"300976932869448935789108595399239621201",
"275275192418784719350806119344121989767",
"151603411590419750986375127902416085971",
"47460717487354933432461158944715205276",
"8067182137596524261603235072509859945",
"120683875347674807678476645967590079763"
],
"threshold": 0.9
},
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@d0a3b3d1176d39218b8edb2a2d03164942ab9ccd",
"deprecated": false,
"id": "CVE-2025-21683-8443dcc6",
"signature_version": "v1",
"target": {
"file": "net/core/filter.c"
}
},
{
"signature_type": "Line",
"digest": {
"line_hashes": [
"154258556468190346270875058781561268697",
"32430229466821103156823661038008149618",
"329898687418735071643987725715150495584",
"162144540841924407359912917464235019280",
"68968553562007179966880806998146147765",
"136607511567005387391750472474640767982",
"311648761100879095704785090761619014040",
"218654179486406075685412184751421224551",
"102012816502291746294504238907796966378",
"225029225627300486843124974488145297730",
"86178669046148470820022107382175469615",
"175402430817074220808843524622700778555",
"43741114883150839463206579965746058306",
"191950034273216088885493210340889617418",
"281339671622038251223409921791447758919",
"300976932869448935789108595399239621201",
"275275192418784719350806119344121989767",
"151603411590419750986375127902416085971",
"47460717487354933432461158944715205276",
"8067182137596524261603235072509859945",
"120683875347674807678476645967590079763"
],
"threshold": 0.9
},
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@b02e70be498b138e9c21701c2f33f4018ca7cd5e",
"deprecated": false,
"id": "CVE-2025-21683-bef9f607",
"signature_version": "v1",
"target": {
"file": "net/core/filter.c"
}
},
{
"signature_type": "Function",
"digest": {
"length": 707.0,
"function_hash": "257243126272101346842061801807977697712"
},
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@bb36838dac7bb334a3f3d7eb29875593ec9473fc",
"deprecated": false,
"id": "CVE-2025-21683-c9da33f1",
"signature_version": "v1",
"target": {
"function": "BPF_CALL_4",
"file": "net/core/filter.c"
}
},
{
"signature_type": "Function",
"digest": {
"length": 707.0,
"function_hash": "257243126272101346842061801807977697712"
},
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@0ab52a8ca6e156a64c51b5e7456cac9a0ebfd9bf",
"deprecated": false,
"id": "CVE-2025-21683-cb9c0008",
"signature_version": "v1",
"target": {
"function": "BPF_CALL_4",
"file": "net/core/filter.c"
}
},
{
"signature_type": "Line",
"digest": {
"line_hashes": [
"154258556468190346270875058781561268697",
"32430229466821103156823661038008149618",
"329898687418735071643987725715150495584",
"162144540841924407359912917464235019280",
"68968553562007179966880806998146147765",
"136607511567005387391750472474640767982",
"311648761100879095704785090761619014040",
"218654179486406075685412184751421224551",
"102012816502291746294504238907796966378",
"225029225627300486843124974488145297730",
"86178669046148470820022107382175469615",
"175402430817074220808843524622700778555",
"43741114883150839463206579965746058306",
"191950034273216088885493210340889617418",
"281339671622038251223409921791447758919",
"300976932869448935789108595399239621201",
"275275192418784719350806119344121989767",
"151603411590419750986375127902416085971",
"47460717487354933432461158944715205276",
"8067182137596524261603235072509859945",
"120683875347674807678476645967590079763"
],
"threshold": 0.9
},
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@cccd51dd22574216e64e5d205489e634f86999f3",
"deprecated": false,
"id": "CVE-2025-21683-d4c9efaa",
"signature_version": "v1",
"target": {
"file": "net/core/filter.c"
}
},
{
"signature_type": "Function",
"digest": {
"length": 707.0,
"function_hash": "257243126272101346842061801807977697712"
},
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@b3af60928ab9129befa65e6df0310d27300942bf",
"deprecated": false,
"id": "CVE-2025-21683-de570093",
"signature_version": "v1",
"target": {
"function": "BPF_CALL_4",
"file": "net/core/filter.c"
}
},
{
"signature_type": "Function",
"digest": {
"length": 707.0,
"function_hash": "257243126272101346842061801807977697712"
},
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@d0a3b3d1176d39218b8edb2a2d03164942ab9ccd",
"deprecated": false,
"id": "CVE-2025-21683-e21b0121",
"signature_version": "v1",
"target": {
"function": "BPF_CALL_4",
"file": "net/core/filter.c"
}
},
{
"signature_type": "Function",
"digest": {
"length": 707.0,
"function_hash": "257243126272101346842061801807977697712"
},
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@b02e70be498b138e9c21701c2f33f4018ca7cd5e",
"deprecated": false,
"id": "CVE-2025-21683-efff1062",
"signature_version": "v1",
"target": {
"function": "BPF_CALL_4",
"file": "net/core/filter.c"
}
}
]