CVE-2025-22057 is a vulnerability in the Linux kernel related to the handling of destination cache (dst_cache) counters within the networking subsystem. The issue arises from an incomplete fix in the kernel's network stack, specifically in the functions managing cached destination entries (dst entries) used for routing and tunneling, including Open vSwitch (OvS) tunnels. The original fix moved the decrementing of dst counters from the dst_destroy function to dst_release to prevent use-after-free errors during network namespace dismantling. However, when CONFIG_DST_CACHE is enabled and OvS tunnels are in use, cached dst entries are not properly invalidated, leading to attempts to access already freed memory. This results in kernel paging faults and potential system crashes, as evidenced by the kernel call trace involving percpu_counter_add_batch and dst_release functions. The vulnerability is rooted in improper reference counting and cache invalidation of dst entries, which can cause kernel memory corruption and instability. The fix involves ensuring that cached dst counters are decremented and the cache invalidated within dst_release, preventing access to freed memory. This vulnerability affects Linux kernel versions identified by the commit hash d71785ffc7e7cae3fbdc4ea8a9d05b7a1c59f7b8 and likely other versions with similar code paths and configurations. No known exploits are currently reported in the wild, and no CVSS score has been assigned yet.

For European organizations, this vulnerability poses a risk primarily to systems running Linux kernels with CONFIG_DST_CACHE enabled and utilizing Open vSwitch tunnels or similar networking configurations. Such environments are common in data centers, cloud infrastructure, and enterprise networks that rely on Linux-based virtualization and container orchestration platforms. The impact includes potential kernel panics or system crashes due to memory access violations, leading to denial of service (DoS) conditions. This can disrupt critical services, degrade network performance, and cause downtime. While there is no indication of direct remote code execution or privilege escalation, the instability can be exploited by attackers to cause persistent outages or to facilitate further attacks by destabilizing network infrastructure. Organizations with high availability requirements, such as financial institutions, telecommunications providers, and public sector entities, may face operational and reputational damage. Additionally, the complexity of the vulnerability in kernel networking code means that debugging and recovery might require specialized expertise, increasing incident response costs.

European organizations should prioritize applying the upstream Linux kernel patch that properly invalidates cached dst entries and decrements their counters in dst_release. This requires updating to a fixed kernel version or backporting the patch if using long-term support (LTS) kernels. System administrators should audit their Linux environments to identify if CONFIG_DST_CACHE is enabled and if Open vSwitch or similar tunneling technologies are in use. Where possible, temporarily disabling CONFIG_DST_CACHE or avoiding the use of affected tunneling features can reduce exposure until patches are applied. Monitoring kernel logs for paging faults or dst_release-related errors can help detect exploitation attempts or crashes. Implementing robust kernel crash dump and analysis procedures will aid in rapid diagnosis. Network segmentation and limiting access to management interfaces can reduce the risk of exploitation. Finally, organizations should coordinate with Linux distribution vendors for timely security updates and verify patch deployment across all affected systems.