CVE-2025-22057 in Linuxinfo

Summary

by MITRE • 04/16/2025

In the Linux kernel, the following vulnerability has been resolved:

net: decrease cached dst counters in dst_release

Upstream fix ac888d58869b ("net: do not delay dst_entries_add() in dst_release()") moved decrementing the dst count from dst_destroy to dst_release to avoid accessing already freed data in case of netns dismantle. However in case CONFIG_DST_CACHE is enabled and OvS+tunnels are used, this fix is incomplete as the same issue will be seen for cached dsts:

Unable to handle kernel paging request at virtual address ffff5aabf6b5c000 Call trace: percpu_counter_add_batch+0x3c/0x160 (P) dst_release+0xec/0x108 dst_cache_destroy+0x68/0xd8 dst_destroy+0x13c/0x168 dst_destroy_rcu+0x1c/0xb0 rcu_do_batch+0x18c/0x7d0 rcu_core+0x174/0x378 rcu_core_si+0x18/0x30

Fix this by invalidating the cache, and thus decrementing cached dst counters, in dst_release too.

If you want to get best quality of vulnerability data, you may have to visit VulDB.

Analysis

by VulDB Data Team • 02/15/2026

The vulnerability described in CVE-2025-22057 represents a critical memory management issue within the Linux kernel's networking subsystem, specifically affecting the destination cache handling mechanism. This flaw manifests when the kernel attempts to manage network routing information through the destination cache system, which is designed to optimize routing lookups by caching frequently accessed routing entries. The issue primarily impacts systems utilizing Open vSwitch with tunneling capabilities, where the kernel's handling of cached destination entries becomes problematic during network namespace cleanup operations.

The technical root cause stems from an incomplete fix implemented in kernel version 5.18, which addressed a similar issue in the non-cached destination entry handling. The original fix moved the decrementing of destination counters from the dst_destroy function to dst_release to prevent accessing freed memory during network namespace dismantling. However, this solution did not account for the specific behavior of cached destination entries, which are managed differently from regular entries. When CONFIG_DST_CACHE is enabled and Open vSwitch with tunneling is active, the cached destination entries still exhibit the same memory access violation pattern that the upstream fix was intended to resolve.

The operational impact of this vulnerability is severe, as it can lead to kernel page faults and system crashes when the kernel attempts to access virtual memory addresses that have already been freed or invalidated. The call trace demonstrates the execution path leading to the failure, showing that percpu_counter_add_batch is called during dst_release, which then triggers a cascade of function calls including dst_cache_destroy and ultimately dst_destroy_rcu. The specific virtual address ff5aabf6b5c000 indicates that the kernel is attempting to access memory that has been deallocated, resulting in a kernel paging request failure that terminates the system's ability to process network traffic properly.

The fix for this vulnerability requires modifying the dst_release function to invalidate the cache and decrement cached destination counters during the release process, ensuring that all destination entries whether cached or not are properly accounted for during memory cleanup operations. This approach aligns with the principle of preventing use-after-free conditions and maintaining proper reference counting mechanisms in kernel memory management. The vulnerability can be categorized under CWE-415 as an improper handling of memory allocation and deallocation, and it maps to ATT&CK technique T1059.003 for kernel-level code execution and system stability compromise. Organizations running Linux systems with Open vSwitch and tunneling configurations should prioritize applying this fix to prevent potential denial-of-service conditions and system crashes that could disrupt network services and compromise system availability.

Responsible

Linux

Reservation

12/29/2024

Disclosure

04/16/2025

Moderation

accepted

CPE

ready

EPSS

0.00165

KEV

no

Activities

very low

Sources

Might our Artificial Intelligence support you?

Check our Alexa App!