CVE-2025-38273 in Linux
Summary
by MITRE • 07/10/2025
In the Linux kernel, the following vulnerability has been resolved:
net: tipc: fix refcount warning in tipc_aead_encrypt
syzbot reported a refcount warning [1] caused by calling get_net() on
a network namespace that is being destroyed (refcount=0). This happens when a TIPC discovery timer fires during network namespace cleanup.
The recently added get_net() call in commit e279024617134 ("net/tipc: fix slab-use-after-free Read in tipc_aead_encrypt_done") attempts to hold a reference to the network namespace. However, if the namespace is already being destroyed, its refcount might be zero, leading to the use-after-free warning.
Replace get_net() with maybe_get_net(), which safely checks if the refcount is non-zero before incrementing it. If the namespace is being destroyed, return -ENODEV early, after releasing the bearer reference.
[1]: https://lore.kernel.org/all/[email protected]/T/#m12019cf9ae77e1954f666914640efa36d52704a2
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 12/19/2025
The vulnerability identified as CVE-2025-38273 resides within the Linux kernel's TIPC (Transparent Inter-Process Communication) subsystem, specifically in the tipc_aead_encrypt function. This issue represents a classic race condition scenario where improper reference counting leads to potential use-after-free conditions during network namespace cleanup operations. The problem manifests when a TIPC discovery timer fires concurrently with the destruction of a network namespace, creating a dangerous timing window that can result in system instability or security implications. The vulnerability was discovered through automated fuzzing by syzbot, which identified a refcount warning indicating that get_net() was being called on a namespace that was already in the process of being destroyed.
The technical flaw stems from an incorrect assumption in commit e279024617134, which introduced a get_net() call to prevent a slab-use-after-free condition in the tipc_aead_encrypt_done function. However, this approach fails to account for the possibility that the network namespace might already be in the process of destruction when the timer fires. The get_net() function does not perform a safety check to verify that the reference count is still valid before incrementing it, which can lead to accessing memory that has already been freed. This particular implementation violates the fundamental principle of safe reference counting in kernel space, where all operations must account for concurrent access and potential cleanup scenarios. The vulnerability directly maps to CWE-415: Double Free and CWE-416: Use After Free, as it involves accessing memory that has been prematurely deallocated due to improper reference management.
The operational impact of this vulnerability extends beyond simple system crashes, potentially allowing for privilege escalation or denial of service conditions in environments where TIPC is actively used for inter-process communication. When a network namespace is being destroyed, any active timers or processes that attempt to access that namespace without proper validation can trigger the use-after-free condition. This creates a window where malicious actors could potentially exploit the timing race to execute arbitrary code or cause system instability. The vulnerability affects systems running Linux kernels that include the problematic commit, particularly those utilizing TIPC for network communication between processes or containers. From an attack perspective, this aligns with ATT&CK technique T1068: Exploitation for Privilege Escalation, as the use-after-free condition could potentially be leveraged to gain elevated privileges within the kernel space.
The fix implemented addresses this vulnerability by replacing the unsafe get_net() call with maybe_get_net(), which incorporates proper validation before incrementing the reference count. This change ensures that when a network namespace is already being destroyed, the function returns -ENODEV early rather than attempting to access freed memory. The solution follows established kernel development practices for handling concurrent access scenarios and demonstrates proper defensive programming techniques. The mitigation strategy effectively prevents the race condition by checking the namespace state before attempting to acquire a reference, thereby avoiding the use-after-free scenario. This approach aligns with kernel security best practices and represents a minimal but effective change that preserves existing functionality while eliminating the dangerous race condition. The fix specifically addresses the timing issue where TIPC timers fire during namespace cleanup, ensuring that all namespace access operations properly validate the namespace state before proceeding with reference management operations.