CVE-2025-21864
📋 TL;DR
A Linux kernel vulnerability where TCP connections in specific network namespace configurations can retain security path (secpath) references after they're no longer needed, potentially causing use-after-free conditions during network namespace deletion. This affects Linux systems using IPsec with IPv6 and specific TCP/IP configurations. The vulnerability can lead to kernel warnings or crashes.
💻 Affected Systems
- Linux Kernel
📦 What is this software?
Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →⚠️ Risk & Real-World Impact
Worst Case
Kernel panic or system crash when deleting network namespaces, potentially causing denial of service on affected systems.
Likely Case
Kernel warning messages in logs during network namespace cleanup operations, with possible system instability.
If Mitigated
Minor performance impact during TCP/IP operations with proper patching.
🎯 Exploit Status
Exploitation requires specific network namespace operations and IPsec configurations. Primarily a reliability issue rather than a security bypass.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Kernel versions containing commits: 69cafd9413084cd5012cf5d7c7ec6f3d493726d9, 87858bbf21da239ace300d61dd209907995c0491, 9b6412e6979f6f9e0632075f8f008937b5cd4efd, cd34a07f744451e2ecf9005bb7d24d0b2fb83656, f1d5e6a5e468308af7759cf5276779d3155c5e98
Vendor Advisory: https://git.kernel.org/stable/c/69cafd9413084cd5012cf5d7c7ec6f3d493726d9
Restart Required: Yes
Instructions:
1. Update Linux kernel to patched version from your distribution vendor. 2. Reboot system to load new kernel. 3. Verify kernel version after reboot.
🔧 Temporary Workarounds
Avoid network namespace deletion
linuxPrevent deletion of network namespaces while TCP connections with IPsec/IPv6 are active
Disable IPsec IPv6 compression
linuxDisable ipcomp6 if not required for your network configuration
sysctl -w net.ipv6.conf.all.use_tempaddr=2
sysctl -w net.ipv6.conf.default.use_tempaddr=2
🧯 If You Can't Patch
- Avoid creating/deleting network namespaces while TCP/IPsec connections are active
- Monitor kernel logs for WARN messages related to xfrm6_tunnel_net_exit and restart affected services
🔍 How to Verify
Check if Vulnerable:
Check kernel version and compare with patched versions from git commits. Look for kernel WARN messages in dmesg related to xfrm6_tunnel_net_exit.Check Version:
uname -rVerify Fix Applied:
Verify kernel version includes the fix commits. Test network namespace creation/deletion with IPsec/IPv6 TCP connections.📡 Detection & Monitoring
Log Indicators:
- Kernel WARN messages containing 'xfrm6_tunnel_net_exit'
- System crash logs during network namespace operations
Network Indicators:
- Unusual TCP connection drops during network namespace transitions
SIEM Query:
source="kernel" AND "WARN" AND "xfrm6_tunnel_net_exit"🔗 References
- https://git.kernel.org/stable/c/69cafd9413084cd5012cf5d7c7ec6f3d493726d9
- https://git.kernel.org/stable/c/87858bbf21da239ace300d61dd209907995c0491
- https://git.kernel.org/stable/c/9b6412e6979f6f9e0632075f8f008937b5cd4efd
- https://git.kernel.org/stable/c/cd34a07f744451e2ecf9005bb7d24d0b2fb83656
- https://git.kernel.org/stable/c/f1d5e6a5e468308af7759cf5276779d3155c5e98
- https://lists.debian.org/debian-lts-announce/2025/05/msg00045.html
