CVE-2025-21926

Source
https://nvd.nist.gov/vuln/detail/CVE-2025-21926
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-21926.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2025-21926
Downstream
Related
Published
2025-04-01T16:15:23Z
Modified
2025-08-09T20:01:26Z
Summary
[none]
Details

In the Linux kernel, the following vulnerability has been resolved:

net: gso: fix ownership in _udpgso_segment

In _udpgso_segment the skb destructor is removed before segmenting the skb but the socket reference is kept as-is. This is an issue if the original skb is later orphaned as we can hit the following bug:

kernel BUG at ./include/linux/skbuff.h:3312! (skborphan) RIP: 0010:iprcvcore+0x8b2/0xca0 Call Trace: iprcv+0xab/0x6e0 _netifreceiveskbonecore+0x168/0x1b0 processbacklog+0x384/0x1100 _napipoll.constprop.0+0xa1/0x370 netrxaction+0x925/0xe50

The above can happen following a sequence of events when using OpenVSwitch, when an OVSACTIONATTRUSERSPACE action precedes an OVSACTIONATTROUTPUT action:

  1. OVSACTIONATTRUSERSPACE is handled (in doexecuteactions): the skb goes through queuegsopackets and then _udpgsosegment, where its destructor is removed.
  2. The segments' data are copied and sent to userspace.
  3. OVSACTIONATTROUTPUT is handled (in doexecute_actions) and the same original skb is sent to its path.
  4. If it later hits skb_orphan, we hit the bug.

Fix this by also removing the reference to the socket in _udpgso_segment.

References

Affected packages