CVE-2025-40018

Summary

In the Linux kernel, the following vulnerability has been resolved:

ipvs: Defer ip_vs_ftp unregister during netns cleanup

On the netns cleanup path, __ip_vs_ftp_exit() may unregister ip_vs_ftp before connections with valid cp->app pointers are flushed, leading to a use-after-free.

Fix this by introducing a global exiting_module flag, set to true in ip_vs_ftp_exit() before unregistering the pernet subsystem. In __ip_vs_ftp_exit(), skip ip_vs_ftp unregister if called during netns cleanup (when exiting_module is false) and defer it to __ip_vs_cleanup_batch(), which unregisters all apps after all connections are flushed. If called during module exit, unregister ip_vs_ftp immediately.

Affected Software

VendorProductVersion RangeStatus
LinuxLinux61b1ab4583e275af216c8454b9256de680499b19 < 8a6ecab3847c213ce2855b0378e63ce839085de3affected
LinuxLinux61b1ab4583e275af216c8454b9256de680499b19 < 421b1ae1574dfdda68b835c15ac4921ec0030182affected
LinuxLinux61b1ab4583e275af216c8454b9256de680499b19 < 1d79471414d7b9424d699afff2aa79fff322f52daffected
LinuxLinux61b1ab4583e275af216c8454b9256de680499b19 < 53717f8a4347b78eac6488072ad8e5adbaff38d9affected
LinuxLinux61b1ab4583e275af216c8454b9256de680499b19 < 8cbe2a21d85727b66d7c591fd5d83df0d8c4f757affected
LinuxLinux61b1ab4583e275af216c8454b9256de680499b19 < dc1a481359a72ee7e548f1f5da671282a7c13b8faffected
LinuxLinux61b1ab4583e275af216c8454b9256de680499b19 < a343811ef138a265407167294275201621e9ebb2affected
LinuxLinux61b1ab4583e275af216c8454b9256de680499b19 < 134121bfd99a06d44ef5ba15a9beb075297c0821affected
LinuxLinux2.6.39affected
LinuxLinux0 < 2.6.39unaffected
LinuxLinux5.4.301 <= 5.4.*unaffected
LinuxLinux5.10.246 <= 5.10.*unaffected
LinuxLinux5.15.195 <= 5.15.*unaffected
LinuxLinux6.1.156 <= 6.1.*unaffected
LinuxLinux6.6.112 <= 6.6.*unaffected
LinuxLinux6.12.53 <= 6.12.*unaffected
LinuxLinux6.17.3 <= 6.17.*unaffected
LinuxLinux6.18 <= *unaffected

Weaknesses

References