CVE-2025-22077: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: Revert "smb: client: fix TCP timers deadlock after rmmod" This reverts commit e9f2517a3e18a54a3943c098d2226b245d488801. Commit e9f2517a3e18 ("smb: client: fix TCP timers deadlock after rmmod") is intended to fix a null-ptr-deref in LOCKDEP, which is mentioned as CVE-2024-54680, but is actually did not fix anything; The issue can be reproduced on top of it. [0] Also, it reverted the change by commit ef7134c7fc48 ("smb: client: Fix use-after-free of network namespace.") and introduced a real issue by reviving the kernel TCP socket. When a reconnect happens for a CIFS connection, the socket state transitions to FIN_WAIT_1. Then, inet_csk_clear_xmit_timers_sync() in tcp_close() stops all timers for the socket. If an incoming FIN packet is lost, the socket will stay at FIN_WAIT_1 forever, and such sockets could be leaked up to net.ipv4.tcp_max_orphans. Usually, FIN can be retransmitted by the peer, but if the peer aborts the connection, the issue comes into reality. I warned about this privately by pointing out the exact report [1], but the bogus fix was finally merged. So, we should not stop the timers to finally kill the connection on our side in that case, meaning we must not use a kernel socket for TCP whose sk->sk_net_refcnt is 0. The kernel socket does not have a reference to its netns to make it possible to tear down netns without cleaning up every resource in it. For example, tunnel devices use a UDP socket internally, but we can destroy netns without removing such devices and let it complete during exit. Otherwise, netns would be leaked when the last application died. However, this is problematic for TCP sockets because TCP has timers to close the connection gracefully even after the socket is close()d. The lifetime of the socket and its netns is different from the lifetime of the underlying connection. If the socket user does not maintain the netns lifetime, the timer could be fired after the socket is close()d and its netns is freed up, resulting in use-after-free. Actually, we have seen so many similar issues and converted such sockets to have a reference to netns. That's why I converted the CIFS client socket to have a reference to netns (sk->sk_net_refcnt == 1), which is somehow mentioned as out-of-scope of CIFS and technically wrong in e9f2517a3e18, but **is in-scope and right fix**. Regarding the LOCKDEP issue, we can prevent the module unload by bumping the module refcount when switching the LOCKDDEP key in sock_lock_init_class_and_name(). [2] For a while, let's revert the bogus fix. Note that now we can use sk_net_refcnt_upgrade() for the socket conversion, but I'll do so later separately to make backport easy.
AI Analysis
Technical Summary
CVE-2025-22077 is a vulnerability in the Linux kernel related to the handling of TCP socket timers and network namespace (netns) references within the SMB/CIFS client implementation. The issue arises from a flawed fix that attempted to resolve a null pointer dereference in LOCKDEP (a kernel locking correctness validator) but inadvertently reintroduced a use-after-free condition and socket state management problems. Specifically, when a CIFS connection reconnects, the TCP socket transitions to the FIN_WAIT_1 state. Normally, the kernel's tcp_close() function stops all timers associated with the socket to gracefully close the connection. However, if an incoming FIN packet is lost and the peer aborts the connection, the socket can remain stuck in FIN_WAIT_1 indefinitely. This leads to socket leaks that can accumulate up to the limit set by net.ipv4.tcp_max_orphans, potentially exhausting system resources. The root cause is that the kernel socket does not maintain a reference count to its network namespace (sk_net_refcnt), allowing the netns to be freed while timers are still active, resulting in use-after-free conditions. The vulnerability stems from reverting a prior commit that had correctly added a netns reference to the CIFS client socket, which was the proper fix. The flawed revert reintroduced the problem by removing this reference, causing TCP socket timers to be stopped prematurely and the socket to leak. The vulnerability also highlights the complexity of managing socket lifetimes and netns lifetimes, especially for TCP connections that require timers to close gracefully even after socket close() calls. The report suggests that the correct approach is to maintain a netns reference count on the socket to prevent premature freeing and to prevent module unloads by managing LOCKDEP keys properly. This vulnerability affects multiple Linux kernel versions identified by specific commits and is currently published without a CVSS score or known exploits in the wild.
Potential Impact
For European organizations, this vulnerability poses a significant risk primarily to systems running Linux kernels with the affected commits, especially those utilizing SMB/CIFS clients for file sharing and network storage. The socket leak in FIN_WAIT_1 state can lead to resource exhaustion on critical servers, causing denial of service (DoS) conditions. This can disrupt file sharing services, impacting business operations reliant on networked storage or SMB-based applications. The use-after-free condition could potentially be leveraged for local privilege escalation or kernel crashes, though no direct exploit is known yet. Given the widespread use of Linux in European data centers, cloud infrastructures, and enterprise environments, the vulnerability could affect a broad range of servers and network devices. The issue is particularly relevant for organizations with complex network namespace configurations, containerized environments, or those employing advanced network virtualization, as improper netns reference handling can lead to stability and security issues. The vulnerability also complicates kernel module management and could affect the reliability of network services. While no active exploits are reported, the potential for denial of service and system instability makes timely mitigation critical to maintain operational continuity and security posture.
Mitigation Recommendations
European organizations should prioritize updating their Linux kernels to versions that reintroduce the correct fix, which involves maintaining a netns reference count on CIFS client sockets to prevent socket leaks and use-after-free conditions. Since no official patch links are provided, organizations should monitor Linux kernel mailing lists and vendor advisories for backported fixes or updated kernel releases addressing CVE-2025-22077. In the interim, system administrators should: 1) Monitor TCP socket states, particularly FIN_WAIT_1, to detect abnormal socket accumulation that may indicate exploitation or resource leaks. 2) Adjust the net.ipv4.tcp_max_orphans sysctl parameter cautiously to prevent resource exhaustion but avoid masking the underlying issue. 3) Review and harden network namespace and container configurations to ensure proper cleanup of network resources. 4) Limit SMB/CIFS client usage on critical systems or isolate vulnerable systems until patched. 5) Employ kernel lockdown features or module signing to prevent unauthorized module unloads that might trigger LOCKDEP-related issues. 6) Engage with Linux distribution vendors for security advisories and apply recommended kernel updates promptly. These steps go beyond generic advice by focusing on kernel-level resource management, network namespace hygiene, and proactive monitoring of TCP socket states relevant to this vulnerability.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Italy, Spain, Poland, Belgium
CVE-2025-22077: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: Revert "smb: client: fix TCP timers deadlock after rmmod" This reverts commit e9f2517a3e18a54a3943c098d2226b245d488801. Commit e9f2517a3e18 ("smb: client: fix TCP timers deadlock after rmmod") is intended to fix a null-ptr-deref in LOCKDEP, which is mentioned as CVE-2024-54680, but is actually did not fix anything; The issue can be reproduced on top of it. [0] Also, it reverted the change by commit ef7134c7fc48 ("smb: client: Fix use-after-free of network namespace.") and introduced a real issue by reviving the kernel TCP socket. When a reconnect happens for a CIFS connection, the socket state transitions to FIN_WAIT_1. Then, inet_csk_clear_xmit_timers_sync() in tcp_close() stops all timers for the socket. If an incoming FIN packet is lost, the socket will stay at FIN_WAIT_1 forever, and such sockets could be leaked up to net.ipv4.tcp_max_orphans. Usually, FIN can be retransmitted by the peer, but if the peer aborts the connection, the issue comes into reality. I warned about this privately by pointing out the exact report [1], but the bogus fix was finally merged. So, we should not stop the timers to finally kill the connection on our side in that case, meaning we must not use a kernel socket for TCP whose sk->sk_net_refcnt is 0. The kernel socket does not have a reference to its netns to make it possible to tear down netns without cleaning up every resource in it. For example, tunnel devices use a UDP socket internally, but we can destroy netns without removing such devices and let it complete during exit. Otherwise, netns would be leaked when the last application died. However, this is problematic for TCP sockets because TCP has timers to close the connection gracefully even after the socket is close()d. The lifetime of the socket and its netns is different from the lifetime of the underlying connection. If the socket user does not maintain the netns lifetime, the timer could be fired after the socket is close()d and its netns is freed up, resulting in use-after-free. Actually, we have seen so many similar issues and converted such sockets to have a reference to netns. That's why I converted the CIFS client socket to have a reference to netns (sk->sk_net_refcnt == 1), which is somehow mentioned as out-of-scope of CIFS and technically wrong in e9f2517a3e18, but **is in-scope and right fix**. Regarding the LOCKDEP issue, we can prevent the module unload by bumping the module refcount when switching the LOCKDDEP key in sock_lock_init_class_and_name(). [2] For a while, let's revert the bogus fix. Note that now we can use sk_net_refcnt_upgrade() for the socket conversion, but I'll do so later separately to make backport easy.
AI-Powered Analysis
Technical Analysis
CVE-2025-22077 is a vulnerability in the Linux kernel related to the handling of TCP socket timers and network namespace (netns) references within the SMB/CIFS client implementation. The issue arises from a flawed fix that attempted to resolve a null pointer dereference in LOCKDEP (a kernel locking correctness validator) but inadvertently reintroduced a use-after-free condition and socket state management problems. Specifically, when a CIFS connection reconnects, the TCP socket transitions to the FIN_WAIT_1 state. Normally, the kernel's tcp_close() function stops all timers associated with the socket to gracefully close the connection. However, if an incoming FIN packet is lost and the peer aborts the connection, the socket can remain stuck in FIN_WAIT_1 indefinitely. This leads to socket leaks that can accumulate up to the limit set by net.ipv4.tcp_max_orphans, potentially exhausting system resources. The root cause is that the kernel socket does not maintain a reference count to its network namespace (sk_net_refcnt), allowing the netns to be freed while timers are still active, resulting in use-after-free conditions. The vulnerability stems from reverting a prior commit that had correctly added a netns reference to the CIFS client socket, which was the proper fix. The flawed revert reintroduced the problem by removing this reference, causing TCP socket timers to be stopped prematurely and the socket to leak. The vulnerability also highlights the complexity of managing socket lifetimes and netns lifetimes, especially for TCP connections that require timers to close gracefully even after socket close() calls. The report suggests that the correct approach is to maintain a netns reference count on the socket to prevent premature freeing and to prevent module unloads by managing LOCKDEP keys properly. This vulnerability affects multiple Linux kernel versions identified by specific commits and is currently published without a CVSS score or known exploits in the wild.
Potential Impact
For European organizations, this vulnerability poses a significant risk primarily to systems running Linux kernels with the affected commits, especially those utilizing SMB/CIFS clients for file sharing and network storage. The socket leak in FIN_WAIT_1 state can lead to resource exhaustion on critical servers, causing denial of service (DoS) conditions. This can disrupt file sharing services, impacting business operations reliant on networked storage or SMB-based applications. The use-after-free condition could potentially be leveraged for local privilege escalation or kernel crashes, though no direct exploit is known yet. Given the widespread use of Linux in European data centers, cloud infrastructures, and enterprise environments, the vulnerability could affect a broad range of servers and network devices. The issue is particularly relevant for organizations with complex network namespace configurations, containerized environments, or those employing advanced network virtualization, as improper netns reference handling can lead to stability and security issues. The vulnerability also complicates kernel module management and could affect the reliability of network services. While no active exploits are reported, the potential for denial of service and system instability makes timely mitigation critical to maintain operational continuity and security posture.
Mitigation Recommendations
European organizations should prioritize updating their Linux kernels to versions that reintroduce the correct fix, which involves maintaining a netns reference count on CIFS client sockets to prevent socket leaks and use-after-free conditions. Since no official patch links are provided, organizations should monitor Linux kernel mailing lists and vendor advisories for backported fixes or updated kernel releases addressing CVE-2025-22077. In the interim, system administrators should: 1) Monitor TCP socket states, particularly FIN_WAIT_1, to detect abnormal socket accumulation that may indicate exploitation or resource leaks. 2) Adjust the net.ipv4.tcp_max_orphans sysctl parameter cautiously to prevent resource exhaustion but avoid masking the underlying issue. 3) Review and harden network namespace and container configurations to ensure proper cleanup of network resources. 4) Limit SMB/CIFS client usage on critical systems or isolate vulnerable systems until patched. 5) Employ kernel lockdown features or module signing to prevent unauthorized module unloads that might trigger LOCKDEP-related issues. 6) Engage with Linux distribution vendors for security advisories and apply recommended kernel updates promptly. These steps go beyond generic advice by focusing on kernel-level resource management, network namespace hygiene, and proactive monitoring of TCP socket states relevant to this vulnerability.
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-12-29T08:45:45.815Z
- Cisa Enriched
- false
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d9831c4522896dcbe8011
Added to database: 5/21/2025, 9:09:05 AM
Last enriched: 7/3/2025, 8:57:13 PM
Last updated: 8/1/2025, 8:40:23 AM
Views: 16
Related Threats
CVE-2025-9013: SQL Injection in PHPGurukul Online Shopping Portal Project
MediumCVE-2025-9012: SQL Injection in PHPGurukul Online Shopping Portal Project
MediumCVE-2025-9011: SQL Injection in PHPGurukul Online Shopping Portal Project
MediumCVE-2025-9010: SQL Injection in itsourcecode Online Tour and Travel Management System
MediumCVE-2025-9009: SQL Injection in itsourcecode Online Tour and Travel Management System
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.