๐Ÿ” CVE Alert

CVE-2025-21678

UNKNOWN 0.0

gtp: Destroy device along with udp socket's netns dismantle.

CVSS Score
0.0
EPSS Score
0.0%
EPSS Percentile
0th

In the Linux kernel, the following vulnerability has been resolved: gtp: Destroy device along with udp socket's netns dismantle. gtp_newlink() links the device to a list in dev_net(dev) instead of src_net, where a udp tunnel socket is created. Even when src_net is removed, the device stays alive on dev_net(dev). Then, removing src_net triggers the splat below. [0] In this example, gtp0 is created in ns2, and the udp socket is created in ns1. ip netns add ns1 ip netns add ns2 ip -n ns1 link add netns ns2 name gtp0 type gtp role sgsn ip netns del ns1 Let's link the device to the socket's netns instead. Now, gtp_net_exit_batch_rtnl() needs another netdev iteration to remove all gtp devices in the netns. [0]: ref_tracker: net notrefcnt@000000003d6e7d05 has 1/2 users at sk_alloc (./include/net/net_namespace.h:345 net/core/sock.c:2236) inet_create (net/ipv4/af_inet.c:326 net/ipv4/af_inet.c:252) __sock_create (net/socket.c:1558) udp_sock_create4 (net/ipv4/udp_tunnel_core.c:18) gtp_create_sock (./include/net/udp_tunnel.h:59 drivers/net/gtp.c:1423) gtp_create_sockets (drivers/net/gtp.c:1447) gtp_newlink (drivers/net/gtp.c:1507) rtnl_newlink (net/core/rtnetlink.c:3786 net/core/rtnetlink.c:3897 net/core/rtnetlink.c:4012) rtnetlink_rcv_msg (net/core/rtnetlink.c:6922) netlink_rcv_skb (net/netlink/af_netlink.c:2542) netlink_unicast (net/netlink/af_netlink.c:1321 net/netlink/af_netlink.c:1347) netlink_sendmsg (net/netlink/af_netlink.c:1891) ____sys_sendmsg (net/socket.c:711 net/socket.c:726 net/socket.c:2583) ___sys_sendmsg (net/socket.c:2639) __sys_sendmsg (net/socket.c:2669) do_syscall_64 (arch/x86/entry/common.c:52 arch/x86/entry/common.c:83) WARNING: CPU: 1 PID: 60 at lib/ref_tracker.c:179 ref_tracker_dir_exit (lib/ref_tracker.c:179) Modules linked in: CPU: 1 UID: 0 PID: 60 Comm: kworker/u16:2 Not tainted 6.13.0-rc5-00147-g4c1224501e9d #5 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014 Workqueue: netns cleanup_net RIP: 0010:ref_tracker_dir_exit (lib/ref_tracker.c:179) Code: 00 00 00 fc ff df 4d 8b 26 49 bd 00 01 00 00 00 00 ad de 4c 39 f5 0f 85 df 00 00 00 48 8b 74 24 08 48 89 df e8 a5 cc 12 02 90 <0f> 0b 90 48 8d 6b 44 be 04 00 00 00 48 89 ef e8 80 de 67 ff 48 89 RSP: 0018:ff11000009a07b60 EFLAGS: 00010286 RAX: 0000000000002bd3 RBX: ff1100000f4e1aa0 RCX: 1ffffffff0e40ac6 RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffffffff8423ee3c RBP: ff1100000f4e1af0 R08: 0000000000000001 R09: fffffbfff0e395ae R10: 0000000000000001 R11: 0000000000036001 R12: ff1100000f4e1af0 R13: dead000000000100 R14: ff1100000f4e1af0 R15: dffffc0000000000 FS: 0000000000000000(0000) GS:ff1100006ce80000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f9b2464bd98 CR3: 0000000005286005 CR4: 0000000000771ef0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe07f0 DR7: 0000000000000400 PKRU: 55555554 Call Trace: <TASK> ? __warn (kernel/panic.c:748) ? ref_tracker_dir_exit (lib/ref_tracker.c:179) ? report_bug (lib/bug.c:201 lib/bug.c:219) ? handle_bug (arch/x86/kernel/traps.c:285) ? exc_invalid_op (arch/x86/kernel/traps.c:309 (discriminator 1)) ? asm_exc_invalid_op (./arch/x86/include/asm/idtentry.h:621) ? _raw_spin_unlock_irqrestore (./arch/x86/include/asm/irqflags.h:42 ./arch/x86/include/asm/irqflags.h:97 ./arch/x86/include/asm/irqflags.h:155 ./include/linux/spinlock_api_smp.h:151 kernel/locking/spinlock.c:194) ? ref_tracker_dir_exit (lib/ref_tracker.c:179) ? __pfx_ref_tracker_dir_exit (lib/ref_tracker.c:158) ? kfree (mm/slub.c:4613 mm/slub.c:4761) net_free (net/core/net_namespace.c:476 net/core/net_namespace.c:467) cleanup_net (net/core/net_namespace.c:664 (discriminator 3)) process_one_work (kernel/workqueue.c:3229) worker_thread (kernel/workqueue.c:3304 kernel/workqueue.c:3391 ---truncated---

Vendor linux
Product linux
Ecosystems
Industries
Technology
Published Jan 31, 2025
Last Updated May 12, 2026
Stay Ahead of the Next One

Get instant alerts for linux linux

Be the first to know when new unknown vulnerabilities affecting linux linux are published โ€” delivered to Slack, Telegram or Discord.

Get Free Alerts โ†’ Free ยท No credit card ยท 60 sec setup

Affected Versions

Linux / Linux
459aa660eb1d8ce67080da1983bb81d716aa5a69 < c986380c1d5274c4d5e935addc807d6791cc23eb 459aa660eb1d8ce67080da1983bb81d716aa5a69 < 5f1678346109ff3a6d229d33437fcba3cce9209d 459aa660eb1d8ce67080da1983bb81d716aa5a69 < 036f8d814a2cd11ee8ef62b8f3e7ce5dec0ee4f3 459aa660eb1d8ce67080da1983bb81d716aa5a69 < efec287cbac92ac6ee8312a89221854760e13b34 459aa660eb1d8ce67080da1983bb81d716aa5a69 < bb11f992f5a475bc68ef959f17a55306f0328495 459aa660eb1d8ce67080da1983bb81d716aa5a69 < 86f73d4ab2f27deeff22ba9336ad103d94f12ac7 459aa660eb1d8ce67080da1983bb81d716aa5a69 < eb28fd76c0a08a47b470677c6cef9dd1c60e92d1
Linux / Linux
4.7

References

NVD โ†— CVE.org โ†— EPSS Data โ†—
git.kernel.org: https://git.kernel.org/stable/c/c986380c1d5274c4d5e935addc807d6791cc23eb git.kernel.org: https://git.kernel.org/stable/c/5f1678346109ff3a6d229d33437fcba3cce9209d git.kernel.org: https://git.kernel.org/stable/c/036f8d814a2cd11ee8ef62b8f3e7ce5dec0ee4f3 git.kernel.org: https://git.kernel.org/stable/c/efec287cbac92ac6ee8312a89221854760e13b34 git.kernel.org: https://git.kernel.org/stable/c/bb11f992f5a475bc68ef959f17a55306f0328495 git.kernel.org: https://git.kernel.org/stable/c/86f73d4ab2f27deeff22ba9336ad103d94f12ac7 git.kernel.org: https://git.kernel.org/stable/c/eb28fd76c0a08a47b470677c6cef9dd1c60e92d1 lists.debian.org: https://lists.debian.org/debian-lts-announce/2025/03/msg00001.html lists.debian.org: https://lists.debian.org/debian-lts-announce/2025/03/msg00002.html cert-portal.siemens.com: https://cert-portal.siemens.com/productcert/html/ssa-265688.html cert-portal.siemens.com: https://cert-portal.siemens.com/productcert/html/ssa-503939.html