CVE-2025-23143: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: net: Fix null-ptr-deref by sock_lock_init_class_and_name() and rmmod. When I ran the repro [0] and waited a few seconds, I observed two LOCKDEP splats: a warning immediately followed by a null-ptr-deref. [1] Reproduction Steps: 1) Mount CIFS 2) Add an iptables rule to drop incoming FIN packets for CIFS 3) Unmount CIFS 4) Unload the CIFS module 5) Remove the iptables rule At step 3), the CIFS module calls sock_release() for the underlying TCP socket, and it returns quickly. However, the socket remains in FIN_WAIT_1 because incoming FIN packets are dropped. At this point, the module's refcnt is 0 while the socket is still alive, so the following rmmod command succeeds. # ss -tan State Recv-Q Send-Q Local Address:Port Peer Address:Port FIN-WAIT-1 0 477 10.0.2.15:51062 10.0.0.137:445 # lsmod | grep cifs cifs 1159168 0 This highlights a discrepancy between the lifetime of the CIFS module and the underlying TCP socket. Even after CIFS calls sock_release() and it returns, the TCP socket does not die immediately in order to close the connection gracefully. While this is generally fine, it causes an issue with LOCKDEP because CIFS assigns a different lock class to the TCP socket's sk->sk_lock using sock_lock_init_class_and_name(). Once an incoming packet is processed for the socket or a timer fires, sk->sk_lock is acquired. Then, LOCKDEP checks the lock context in check_wait_context(), where hlock_class() is called to retrieve the lock class. However, since the module has already been unloaded, hlock_class() logs a warning and returns NULL, triggering the null-ptr-deref. If LOCKDEP is enabled, we must ensure that a module calling sock_lock_init_class_and_name() (CIFS, NFS, etc) cannot be unloaded while such a socket is still alive to prevent this issue. Let's hold the module reference in sock_lock_init_class_and_name() and release it when the socket is freed in sk_prot_free(). Note that sock_lock_init() clears sk->sk_owner for svc_create_socket() that calls sock_lock_init_class_and_name() for a listening socket, which clones a socket by sk_clone_lock() without GFP_ZERO. [0]: CIFS_SERVER="10.0.0.137" CIFS_PATH="//${CIFS_SERVER}/Users/Administrator/Desktop/CIFS_TEST" DEV="enp0s3" CRED="/root/WindowsCredential.txt" MNT=$(mktemp -d /tmp/XXXXXX) mount -t cifs ${CIFS_PATH} ${MNT} -o vers=3.0,credentials=${CRED},cache=none,echo_interval=1 iptables -A INPUT -s ${CIFS_SERVER} -j DROP for i in $(seq 10); do umount ${MNT} rmmod cifs sleep 1 done rm -r ${MNT} iptables -D INPUT -s ${CIFS_SERVER} -j DROP [1]: DEBUG_LOCKS_WARN_ON(1) WARNING: CPU: 10 PID: 0 at kernel/locking/lockdep.c:234 hlock_class (kernel/locking/lockdep.c:234 kernel/locking/lockdep.c:223) Modules linked in: cifs_arc4 nls_ucs2_utils cifs_md4 [last unloaded: cifs] CPU: 10 UID: 0 PID: 0 Comm: swapper/10 Not tainted 6.14.0 #36 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014 RIP: 0010:hlock_class (kernel/locking/lockdep.c:234 kernel/locking/lockdep.c:223) ... Call Trace: <IRQ> __lock_acquire (kernel/locking/lockdep.c:4853 kernel/locking/lockdep.c:5178) lock_acquire (kernel/locking/lockdep.c:469 kernel/locking/lockdep.c:5853 kernel/locking/lockdep.c:5816) _raw_spin_lock_nested (kernel/locking/spinlock.c:379) tcp_v4_rcv (./include/linux/skbuff.h:1678 ./include/net/tcp.h:2547 net/ipv4/tcp_ipv4.c:2350) ... BUG: kernel NULL pointer dereference, address: 00000000000000c4 PF: supervisor read access in kernel mode PF: error_code(0x0000) - not-present page PGD 0 Oops: Oops: 0000 [#1] PREEMPT SMP NOPTI CPU: 10 UID: 0 PID: 0 Comm: swapper/10 Tainted: G W 6.14.0 #36 Tainted: [W]=WARN Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014 RIP: 0010:__lock_acquire (kernel/ ---truncated---
AI Analysis
Technical Summary
CVE-2025-23143 is a vulnerability in the Linux kernel related to the handling of TCP sockets within the CIFS (Common Internet File System) kernel module. The issue arises from a race condition and lifecycle discrepancy between the CIFS kernel module and the underlying TCP socket it uses. Specifically, when the CIFS module is unmounted and removed (rmmod), it calls sock_release() on the TCP socket. However, if incoming FIN packets are dropped (for example, by an iptables rule), the TCP socket remains in the FIN_WAIT_1 state and does not close immediately. This leads to a situation where the CIFS module's reference count drops to zero and the module is unloaded, but the TCP socket is still active and holds a lock class assigned by the module via sock_lock_init_class_and_name(). When LOCKDEP (the Linux kernel's lock dependency validator) is enabled, it attempts to check the lock context during socket operations. Since the module has been unloaded, the lock class pointer is invalid (NULL), causing a null pointer dereference and kernel crash (kernel oops). This is a use-after-free type of vulnerability triggered by unloading a kernel module while sockets it initialized are still alive. The vulnerability is triggered by a specific sequence: mounting CIFS, adding iptables rules to drop FIN packets, unmounting CIFS, unloading the CIFS module, and then removing the iptables rule. The root cause is that the module does not hold a reference to the socket lock class, allowing the module to be unloaded prematurely. The proposed fix is to hold a module reference in sock_lock_init_class_and_name() and release it only when the socket is freed, preventing module unload while sockets are active. This vulnerability affects Linux kernel versions including the one referenced (6.14.0) and impacts modules like CIFS and potentially NFS that use similar locking mechanisms. It causes kernel crashes due to null pointer dereferences, which can lead to denial of service (DoS) conditions on affected systems. There is no indication of remote code execution or privilege escalation, but the kernel panic can disrupt system availability. No CVSS score is assigned yet, and no known exploits in the wild have been reported as of publication.
Potential Impact
For European organizations, the impact of CVE-2025-23143 primarily involves potential denial of service due to kernel crashes on Linux systems using CIFS or similar network file system modules. CIFS is commonly used in enterprise environments for file sharing with Windows servers. Organizations relying on Linux servers for file storage, network shares, or acting as CIFS clients or servers could experience unexpected system crashes, leading to service interruptions. This vulnerability could affect critical infrastructure, data centers, and cloud providers running Linux with CIFS modules enabled, especially if iptables or firewall rules inadvertently drop FIN packets, triggering the issue. The disruption could impact business continuity, data availability, and operational efficiency. While the vulnerability does not appear to allow remote code execution or data compromise directly, denial of service on critical servers can have cascading effects on dependent services and applications. Given the kernel-level nature of the bug, recovery requires system reboots and patching, which may cause planned downtime. Organizations with strict uptime requirements or those operating in regulated sectors (finance, healthcare, government) must prioritize mitigation to avoid operational risks.
Mitigation Recommendations
1. Apply Kernel Updates: Deploy the official Linux kernel patches that address this issue as soon as they become available. Ensure all Linux systems running CIFS or similar modules are updated to a fixed kernel version. 2. Avoid Dropping FIN Packets: Review and adjust firewall (iptables) rules to avoid dropping FIN packets on CIFS-related traffic. This prevents sockets from lingering in FIN_WAIT_1 state and triggering the race condition. 3. Module Unload Controls: Implement operational controls to prevent unloading CIFS or NFS kernel modules while active sockets exist. This can include monitoring socket states and module usage before unloading. 4. Disable LOCKDEP in Production: If feasible and after risk assessment, consider disabling LOCKDEP in production environments where stability is critical, as LOCKDEP triggers the null pointer dereference. However, this reduces lock debugging capabilities. 5. Monitoring and Alerting: Deploy monitoring to detect kernel oops or crashes related to socket locking and CIFS module usage. Early detection can reduce downtime. 6. Test in Staging: Before deploying firewall rules or kernel updates, test in staging environments to ensure no unintended packet drops or module unload sequences cause instability. 7. Educate Network Teams: Ensure network and security teams understand the impact of dropping FIN packets and coordinate firewall policies accordingly. These mitigations go beyond generic advice by focusing on the interaction between firewall rules, kernel module lifecycle, and socket states specific to this vulnerability.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Italy, Spain, Poland
CVE-2025-23143: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: net: Fix null-ptr-deref by sock_lock_init_class_and_name() and rmmod. When I ran the repro [0] and waited a few seconds, I observed two LOCKDEP splats: a warning immediately followed by a null-ptr-deref. [1] Reproduction Steps: 1) Mount CIFS 2) Add an iptables rule to drop incoming FIN packets for CIFS 3) Unmount CIFS 4) Unload the CIFS module 5) Remove the iptables rule At step 3), the CIFS module calls sock_release() for the underlying TCP socket, and it returns quickly. However, the socket remains in FIN_WAIT_1 because incoming FIN packets are dropped. At this point, the module's refcnt is 0 while the socket is still alive, so the following rmmod command succeeds. # ss -tan State Recv-Q Send-Q Local Address:Port Peer Address:Port FIN-WAIT-1 0 477 10.0.2.15:51062 10.0.0.137:445 # lsmod | grep cifs cifs 1159168 0 This highlights a discrepancy between the lifetime of the CIFS module and the underlying TCP socket. Even after CIFS calls sock_release() and it returns, the TCP socket does not die immediately in order to close the connection gracefully. While this is generally fine, it causes an issue with LOCKDEP because CIFS assigns a different lock class to the TCP socket's sk->sk_lock using sock_lock_init_class_and_name(). Once an incoming packet is processed for the socket or a timer fires, sk->sk_lock is acquired. Then, LOCKDEP checks the lock context in check_wait_context(), where hlock_class() is called to retrieve the lock class. However, since the module has already been unloaded, hlock_class() logs a warning and returns NULL, triggering the null-ptr-deref. If LOCKDEP is enabled, we must ensure that a module calling sock_lock_init_class_and_name() (CIFS, NFS, etc) cannot be unloaded while such a socket is still alive to prevent this issue. Let's hold the module reference in sock_lock_init_class_and_name() and release it when the socket is freed in sk_prot_free(). Note that sock_lock_init() clears sk->sk_owner for svc_create_socket() that calls sock_lock_init_class_and_name() for a listening socket, which clones a socket by sk_clone_lock() without GFP_ZERO. [0]: CIFS_SERVER="10.0.0.137" CIFS_PATH="//${CIFS_SERVER}/Users/Administrator/Desktop/CIFS_TEST" DEV="enp0s3" CRED="/root/WindowsCredential.txt" MNT=$(mktemp -d /tmp/XXXXXX) mount -t cifs ${CIFS_PATH} ${MNT} -o vers=3.0,credentials=${CRED},cache=none,echo_interval=1 iptables -A INPUT -s ${CIFS_SERVER} -j DROP for i in $(seq 10); do umount ${MNT} rmmod cifs sleep 1 done rm -r ${MNT} iptables -D INPUT -s ${CIFS_SERVER} -j DROP [1]: DEBUG_LOCKS_WARN_ON(1) WARNING: CPU: 10 PID: 0 at kernel/locking/lockdep.c:234 hlock_class (kernel/locking/lockdep.c:234 kernel/locking/lockdep.c:223) Modules linked in: cifs_arc4 nls_ucs2_utils cifs_md4 [last unloaded: cifs] CPU: 10 UID: 0 PID: 0 Comm: swapper/10 Not tainted 6.14.0 #36 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014 RIP: 0010:hlock_class (kernel/locking/lockdep.c:234 kernel/locking/lockdep.c:223) ... Call Trace: <IRQ> __lock_acquire (kernel/locking/lockdep.c:4853 kernel/locking/lockdep.c:5178) lock_acquire (kernel/locking/lockdep.c:469 kernel/locking/lockdep.c:5853 kernel/locking/lockdep.c:5816) _raw_spin_lock_nested (kernel/locking/spinlock.c:379) tcp_v4_rcv (./include/linux/skbuff.h:1678 ./include/net/tcp.h:2547 net/ipv4/tcp_ipv4.c:2350) ... BUG: kernel NULL pointer dereference, address: 00000000000000c4 PF: supervisor read access in kernel mode PF: error_code(0x0000) - not-present page PGD 0 Oops: Oops: 0000 [#1] PREEMPT SMP NOPTI CPU: 10 UID: 0 PID: 0 Comm: swapper/10 Tainted: G W 6.14.0 #36 Tainted: [W]=WARN Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014 RIP: 0010:__lock_acquire (kernel/ ---truncated---
AI-Powered Analysis
Technical Analysis
CVE-2025-23143 is a vulnerability in the Linux kernel related to the handling of TCP sockets within the CIFS (Common Internet File System) kernel module. The issue arises from a race condition and lifecycle discrepancy between the CIFS kernel module and the underlying TCP socket it uses. Specifically, when the CIFS module is unmounted and removed (rmmod), it calls sock_release() on the TCP socket. However, if incoming FIN packets are dropped (for example, by an iptables rule), the TCP socket remains in the FIN_WAIT_1 state and does not close immediately. This leads to a situation where the CIFS module's reference count drops to zero and the module is unloaded, but the TCP socket is still active and holds a lock class assigned by the module via sock_lock_init_class_and_name(). When LOCKDEP (the Linux kernel's lock dependency validator) is enabled, it attempts to check the lock context during socket operations. Since the module has been unloaded, the lock class pointer is invalid (NULL), causing a null pointer dereference and kernel crash (kernel oops). This is a use-after-free type of vulnerability triggered by unloading a kernel module while sockets it initialized are still alive. The vulnerability is triggered by a specific sequence: mounting CIFS, adding iptables rules to drop FIN packets, unmounting CIFS, unloading the CIFS module, and then removing the iptables rule. The root cause is that the module does not hold a reference to the socket lock class, allowing the module to be unloaded prematurely. The proposed fix is to hold a module reference in sock_lock_init_class_and_name() and release it only when the socket is freed, preventing module unload while sockets are active. This vulnerability affects Linux kernel versions including the one referenced (6.14.0) and impacts modules like CIFS and potentially NFS that use similar locking mechanisms. It causes kernel crashes due to null pointer dereferences, which can lead to denial of service (DoS) conditions on affected systems. There is no indication of remote code execution or privilege escalation, but the kernel panic can disrupt system availability. No CVSS score is assigned yet, and no known exploits in the wild have been reported as of publication.
Potential Impact
For European organizations, the impact of CVE-2025-23143 primarily involves potential denial of service due to kernel crashes on Linux systems using CIFS or similar network file system modules. CIFS is commonly used in enterprise environments for file sharing with Windows servers. Organizations relying on Linux servers for file storage, network shares, or acting as CIFS clients or servers could experience unexpected system crashes, leading to service interruptions. This vulnerability could affect critical infrastructure, data centers, and cloud providers running Linux with CIFS modules enabled, especially if iptables or firewall rules inadvertently drop FIN packets, triggering the issue. The disruption could impact business continuity, data availability, and operational efficiency. While the vulnerability does not appear to allow remote code execution or data compromise directly, denial of service on critical servers can have cascading effects on dependent services and applications. Given the kernel-level nature of the bug, recovery requires system reboots and patching, which may cause planned downtime. Organizations with strict uptime requirements or those operating in regulated sectors (finance, healthcare, government) must prioritize mitigation to avoid operational risks.
Mitigation Recommendations
1. Apply Kernel Updates: Deploy the official Linux kernel patches that address this issue as soon as they become available. Ensure all Linux systems running CIFS or similar modules are updated to a fixed kernel version. 2. Avoid Dropping FIN Packets: Review and adjust firewall (iptables) rules to avoid dropping FIN packets on CIFS-related traffic. This prevents sockets from lingering in FIN_WAIT_1 state and triggering the race condition. 3. Module Unload Controls: Implement operational controls to prevent unloading CIFS or NFS kernel modules while active sockets exist. This can include monitoring socket states and module usage before unloading. 4. Disable LOCKDEP in Production: If feasible and after risk assessment, consider disabling LOCKDEP in production environments where stability is critical, as LOCKDEP triggers the null pointer dereference. However, this reduces lock debugging capabilities. 5. Monitoring and Alerting: Deploy monitoring to detect kernel oops or crashes related to socket locking and CIFS module usage. Early detection can reduce downtime. 6. Test in Staging: Before deploying firewall rules or kernel updates, test in staging environments to ensure no unintended packet drops or module unload sequences cause instability. 7. Educate Network Teams: Ensure network and security teams understand the impact of dropping FIN packets and coordinate firewall policies accordingly. These mitigations go beyond generic advice by focusing on the interaction between firewall rules, kernel module lifecycle, and socket states specific to this vulnerability.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2025-01-11T14:28:41.512Z
- Cisa Enriched
- false
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d9832c4522896dcbe8235
Added to database: 5/21/2025, 9:09:06 AM
Last enriched: 7/3/2025, 10:10:08 PM
Last updated: 8/17/2025, 8:13:42 PM
Views: 9
Related Threats
CVE-2025-53948: CWE-415 Double Free in Santesoft Sante PACS Server
HighCVE-2025-52584: CWE-122 Heap-based Buffer Overflow in Ashlar-Vellum Cobalt
HighCVE-2025-46269: CWE-122 Heap-based Buffer Overflow in Ashlar-Vellum Cobalt
HighCVE-2025-54862: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') in Santesoft Sante PACS Server
MediumCVE-2025-54759: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') in Santesoft Sante PACS Server
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.