DEBIAN-CVE-2025-38052

Source
https://security-tracker.debian.org/tracker/CVE-2025-38052
Import Source
https://storage.googleapis.com/osv-test-debian-osv/debian-cve-osv/DEBIAN-CVE-2025-38052.json
JSON Data
https://api.test.osv.dev/v1/vulns/DEBIAN-CVE-2025-38052
Upstream
Downstream
Published
2025-06-18T10:15:37Z
Modified
2025-10-15T07:29:50.826963Z
Summary
[none]
Details

In the Linux kernel, the following vulnerability has been resolved: net/tipc: fix slab-use-after-free Read in tipcaeadencryptdone Syzbot reported a slab-use-after-free with the following call trace: ================================================================== BUG: KASAN: slab-use-after-free in tipcaeadencryptdone+0x4bd/0x510 net/tipc/crypto.c:840 Read of size 8 at addr ffff88807a733000 by task kworker/1:0/25 Call Trace: kasanreport+0xd9/0x110 mm/kasan/report.c:601 tipcaeadencryptdone+0x4bd/0x510 net/tipc/crypto.c:840 cryptorequestcomplete include/crypto/algapi.h:266 aeadrequestcomplete include/crypto/internal/aead.h:85 cryptdaeadcrypt+0x3b8/0x750 crypto/cryptd.c:772 cryptorequestcomplete include/crypto/algapi.h:266 cryptdqueueworker+0x131/0x200 crypto/cryptd.c:181 processonework+0x9fb/0x1b60 kernel/workqueue.c:3231 Allocated by task 8355: kzallocnoprof include/linux/slab.h:778 tipccryptostart+0xcc/0x9e0 net/tipc/crypto.c:1466 tipcinitnet+0x2dd/0x430 net/tipc/core.c:72 opsinit+0xb9/0x650 net/core/netnamespace.c:139 setupnet+0x435/0xb40 net/core/netnamespace.c:343 copynetns+0x2f0/0x670 net/core/netnamespace.c:508 createnewnamespaces+0x3ea/0xb10 kernel/nsproxy.c:110 unsharensproxynamespaces+0xc0/0x1f0 kernel/nsproxy.c:228 ksysunshare+0x419/0x970 kernel/fork.c:3323 _dosysunshare kernel/fork.c:3394 Freed by task 63: kfree+0x12a/0x3b0 mm/slub.c:4557 tipccryptostop+0x23c/0x500 net/tipc/crypto.c:1539 tipcexitnet+0x8c/0x110 net/tipc/core.c:119 opsexitlist+0xb0/0x180 net/core/netnamespace.c:173 cleanupnet+0x5b7/0xbf0 net/core/netnamespace.c:640 processonework+0x9fb/0x1b60 kernel/workqueue.c:3231 After freed the tipccrypto tx by delete namespace, tipcaeadencryptdone may still visit it in cryptdqueueworker workqueue. I reproduce this issue by: ip netns add ns1 ip link add veth1 type veth peer name veth2 ip link set veth1 netns ns1 ip netns exec ns1 tipc bearer enable media eth dev veth1 ip netns exec ns1 tipc node set key thisisamasterkey master ip netns exec ns1 tipc bearer disable media eth dev veth1 ip netns del ns1 The key of reproduction is that, simdaeadencrypt is interrupted, leading to cryptosimdusable() return false. Thus, the cryptdqueueworker is triggered, and the tipccrypto tx will be visited. tipcdisctimeout tipcbearerxmitskb tipccryptoxmit tipcaeadencrypt cryptoaeadencrypt // encrypt() simdaeadencrypt // cryptosimdusable() is false child = &ctx->cryptdtfm->base; simdaeadencrypt cryptoaeadencrypt // encrypt() cryptdaeadencryptenqueue cryptdaeadenqueue cryptdenqueuerequest // trigger cryptdqueueworker queueworkon(smpprocessorid(), cryptdwq, &cpu_queue->work) Fix this by holding net reference count before encrypt.

References

Affected packages

Debian:11 / linux

Package

Name
linux
Purl
pkg:deb/debian/linux?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
5.10.244-1

Affected versions

5.*

5.10.46-4
5.10.46-5
5.10.70-1~bpo10+1
5.10.70-1
5.10.84-1
5.10.92-1~bpo10+1
5.10.92-1
5.10.92-2
5.10.103-1~bpo10+1
5.10.103-1
5.10.106-1
5.10.113-1
5.10.120-1~bpo10+1
5.10.120-1
5.10.127-1
5.10.127-2~bpo10+1
5.10.127-2
5.10.136-1
5.10.140-1
5.10.148-1
5.10.149-1
5.10.149-2
5.10.158-1
5.10.158-2
5.10.162-1
5.10.178-1
5.10.178-2
5.10.178-3
5.10.179-1
5.10.179-2
5.10.179-3
5.10.179-4
5.10.179-5
5.10.191-1
5.10.197-1
5.10.205-1
5.10.205-2
5.10.209-1
5.10.209-2
5.10.216-1
5.10.218-1
5.10.221-1
5.10.223-1
5.10.226-1
5.10.234-1
5.10.237-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:12 / linux

Package

Name
linux
Purl
pkg:deb/debian/linux?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
6.1.147-1

Affected versions

6.*

6.1.27-1
6.1.37-1
6.1.38-1
6.1.38-2~bpo11+1
6.1.38-2
6.1.38-3
6.1.38-4~bpo11+1
6.1.38-4
6.1.52-1
6.1.55-1~bpo11+1
6.1.55-1
6.1.64-1
6.1.66-1
6.1.67-1
6.1.69-1~bpo11+1
6.1.69-1
6.1.76-1~bpo11+1
6.1.76-1
6.1.82-1
6.1.85-1
6.1.90-1~bpo11+1
6.1.90-1
6.1.94-1~bpo11+1
6.1.94-1
6.1.98-1
6.1.99-1
6.1.106-1
6.1.106-2
6.1.106-3
6.1.112-1
6.1.115-1
6.1.119-1
6.1.123-1
6.1.124-1
6.1.128-1
6.1.129-1
6.1.133-1
6.1.135-1
6.1.137-1
6.1.139-1
6.1.140-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:13 / linux

Package

Name
linux
Purl
pkg:deb/debian/linux?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
6.12.32-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:14 / linux

Package

Name
linux
Purl
pkg:deb/debian/linux?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
6.12.32-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:11 / linux-6.1

Package

Name
linux-6.1
Purl
pkg:deb/debian/linux-6.1?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
6.1.153-1~deb11u1

Affected versions

6.*

6.1.106-3~deb11u1
6.1.106-3~deb11u2
6.1.106-3~deb11u3
6.1.112-1~deb11u1
6.1.119-1~deb11u1
6.1.128-1~deb11u1
6.1.129-1~deb11u1
6.1.137-1~deb11u1
6.1.140-1~deb11u1
6.1.147-1~deb11u1
6.1.148-1~deb11u1

Ecosystem specific

{
    "urgency": "not yet assigned"
}