{"id":"CVE-2025-21926","summary":"net: gso: fix ownership in __udp_gso_segment","details":"In the Linux kernel, the following vulnerability has been resolved:\n\nnet: gso: fix ownership in __udp_gso_segment\n\nIn __udp_gso_segment the skb destructor is removed before segmenting the\nskb but the socket reference is kept as-is. This is an issue if the\noriginal skb is later orphaned as we can hit the following bug:\n\n  kernel BUG at ./include/linux/skbuff.h:3312!  (skb_orphan)\n  RIP: 0010:ip_rcv_core+0x8b2/0xca0\n  Call Trace:\n   ip_rcv+0xab/0x6e0\n   __netif_receive_skb_one_core+0x168/0x1b0\n   process_backlog+0x384/0x1100\n   __napi_poll.constprop.0+0xa1/0x370\n   net_rx_action+0x925/0xe50\n\nThe above can happen following a sequence of events when using\nOpenVSwitch, when an OVS_ACTION_ATTR_USERSPACE action precedes an\nOVS_ACTION_ATTR_OUTPUT action:\n\n1. OVS_ACTION_ATTR_USERSPACE is handled (in do_execute_actions): the skb\n   goes through queue_gso_packets and then __udp_gso_segment, where its\n   destructor is removed.\n2. The segments' data are copied and sent to userspace.\n3. OVS_ACTION_ATTR_OUTPUT is handled (in do_execute_actions) and the\n   same original skb is sent to its path.\n4. If it later hits skb_orphan, we hit the bug.\n\nFix this by also removing the reference to the socket in\n__udp_gso_segment.","modified":"2026-03-20T12:41:14.645929Z","published":"2025-04-01T15:40:57.882Z","related":["ALSA-2025:8643","SUSE-SU-2025:01600-1","SUSE-SU-2025:01614-1","SUSE-SU-2025:01707-1","SUSE-SU-2025:01919-1","SUSE-SU-2025:01951-1","SUSE-SU-2025:01964-1","SUSE-SU-2025:01967-1","SUSE-SU-2025:20343-1","SUSE-SU-2025:20344-1","SUSE-SU-2025:20354-1","SUSE-SU-2025:20355-1"],"database_specific":{"cna_assigner":"Linux","osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/21xxx/CVE-2025-21926.json"},"references":[{"type":"WEB","url":"https://git.kernel.org/stable/c/01a83237644d6822bc7df2c5564fc81b0df84358"},{"type":"WEB","url":"https://git.kernel.org/stable/c/084819b0d8b1bd433b90142371eb9450d657f8ca"},{"type":"WEB","url":"https://git.kernel.org/stable/c/455217ac9db0cf9349b3933664355e907bb1a569"},{"type":"WEB","url":"https://git.kernel.org/stable/c/9f28205ddb76e86cac418332e952241d85fed0dc"},{"type":"WEB","url":"https://git.kernel.org/stable/c/a2d1cca955ed34873e524cc2e6e885450d262f05"},{"type":"WEB","url":"https://git.kernel.org/stable/c/c32da44cc9298eaa6109e3fc2c2b4e07cc4bf11b"},{"type":"WEB","url":"https://git.kernel.org/stable/c/e8db70537878e1bb3fd83e5abcc6feefc0587828"},{"type":"WEB","url":"https://git.kernel.org/stable/c/ee01b2f2d7d0010787c2343463965bbc283a497f"},{"type":"WEB","url":"https://lists.debian.org/debian-lts-announce/2025/05/msg00030.html"},{"type":"WEB","url":"https://lists.debian.org/debian-lts-announce/2025/05/msg00045.html"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/21xxx/CVE-2025-21926.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-21926"},{"type":"PACKAGE","url":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"ad405857b174ed31a97982bb129c320d03321cf5"},{"fixed":"9f28205ddb76e86cac418332e952241d85fed0dc"},{"fixed":"a2d1cca955ed34873e524cc2e6e885450d262f05"},{"fixed":"455217ac9db0cf9349b3933664355e907bb1a569"},{"fixed":"e8db70537878e1bb3fd83e5abcc6feefc0587828"},{"fixed":"01a83237644d6822bc7df2c5564fc81b0df84358"},{"fixed":"084819b0d8b1bd433b90142371eb9450d657f8ca"},{"fixed":"c32da44cc9298eaa6109e3fc2c2b4e07cc4bf11b"},{"fixed":"ee01b2f2d7d0010787c2343463965bbc283a497f"}]}],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-21926.json"}}],"schema_version":"1.7.5"}