{"id":"CVE-2025-39852","summary":"net/tcp: Fix socket memory leak in TCP-AO failure handling for IPv6","details":"In the Linux kernel, the following vulnerability has been resolved:\n\nnet/tcp: Fix socket memory leak in TCP-AO failure handling for IPv6\n\nWhen tcp_ao_copy_all_matching() fails in tcp_v6_syn_recv_sock() it just\nexits the function. This ends up causing a memory-leak:\n\nunreferenced object 0xffff0000281a8200 (size 2496):\n  comm \"softirq\", pid 0, jiffies 4295174684\n  hex dump (first 32 bytes):\n    7f 00 00 06 7f 00 00 06 00 00 00 00 cb a8 88 13  ................\n    0a 00 03 61 00 00 00 00 00 00 00 00 00 00 00 00  ...a............\n  backtrace (crc 5ebdbe15):\n    kmemleak_alloc+0x44/0xe0\n    kmem_cache_alloc_noprof+0x248/0x470\n    sk_prot_alloc+0x48/0x120\n    sk_clone_lock+0x38/0x3b0\n    inet_csk_clone_lock+0x34/0x150\n    tcp_create_openreq_child+0x3c/0x4a8\n    tcp_v6_syn_recv_sock+0x1c0/0x620\n    tcp_check_req+0x588/0x790\n    tcp_v6_rcv+0x5d0/0xc18\n    ip6_protocol_deliver_rcu+0x2d8/0x4c0\n    ip6_input_finish+0x74/0x148\n    ip6_input+0x50/0x118\n    ip6_sublist_rcv+0x2fc/0x3b0\n    ipv6_list_rcv+0x114/0x170\n    __netif_receive_skb_list_core+0x16c/0x200\n    netif_receive_skb_list_internal+0x1f0/0x2d0\n\nThis is because in tcp_v6_syn_recv_sock (and the IPv4 counterpart), when\nexiting upon error, inet_csk_prepare_forced_close() and tcp_done() need\nto be called. They make sure the newsk will end up being correctly\nfree'd.\n\ntcp_v4_syn_recv_sock() makes this very clear by having the put_and_exit\nlabel that takes care of things. So, this patch here makes sure\ntcp_v4_syn_recv_sock and tcp_v6_syn_recv_sock have similar\nerror-handling and thus fixes the leak for TCP-AO.","modified":"2026-03-20T12:43:04.782530Z","published":"2025-09-19T15:26:24.312Z","related":["SUSE-SU-2025:21074-1","SUSE-SU-2025:21139-1","SUSE-SU-2025:21179-1","openSUSE-SU-2025:20081-1"],"database_specific":{"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/39xxx/CVE-2025-39852.json","cna_assigner":"Linux"},"references":[{"type":"WEB","url":"https://git.kernel.org/stable/c/3d2b356d994a8801acb397cafd28b13672c37ab5"},{"type":"WEB","url":"https://git.kernel.org/stable/c/46d33c878fc0b3d7570366b2c9912395b3f4e701"},{"type":"WEB","url":"https://git.kernel.org/stable/c/fa390321aba0a54d0f7ae95ee4ecde1358bb9234"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/39xxx/CVE-2025-39852.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-39852"},{"type":"PACKAGE","url":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"06b22ef29591f625ef877ae00d82192938e29e60"},{"fixed":"46d33c878fc0b3d7570366b2c9912395b3f4e701"},{"fixed":"3d2b356d994a8801acb397cafd28b13672c37ab5"},{"fixed":"fa390321aba0a54d0f7ae95ee4ecde1358bb9234"}]}],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-39852.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"}]}