{"id":"CVE-2025-39955","summary":"tcp: Clear tcp_sk(sk)-\u003efastopen_rsk in tcp_disconnect().","details":"In the Linux kernel, the following vulnerability has been resolved:\n\ntcp: Clear tcp_sk(sk)-\u003efastopen_rsk in tcp_disconnect().\n\nsyzbot reported the splat below where a socket had tcp_sk(sk)-\u003efastopen_rsk\nin the TCP_ESTABLISHED state. [0]\n\nsyzbot reused the server-side TCP Fast Open socket as a new client before\nthe TFO socket completes 3WHS:\n\n  1. accept()\n  2. connect(AF_UNSPEC)\n  3. connect() to another destination\n\nAs of accept(), sk-\u003esk_state is TCP_SYN_RECV, and tcp_disconnect() changes\nit to TCP_CLOSE and makes connect() possible, which restarts timers.\n\nSince tcp_disconnect() forgot to clear tcp_sk(sk)-\u003efastopen_rsk, the\nretransmit timer triggered the warning and the intended packet was not\nretransmitted.\n\nLet's call reqsk_fastopen_remove() in tcp_disconnect().\n\n[0]:\nWARNING: CPU: 2 PID: 0 at net/ipv4/tcp_timer.c:542 tcp_retransmit_timer (net/ipv4/tcp_timer.c:542 (discriminator 7))\nModules linked in:\nCPU: 2 UID: 0 PID: 0 Comm: swapper/2 Not tainted 6.17.0-rc5-g201825fb4278 #62 PREEMPT(voluntary)\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014\nRIP: 0010:tcp_retransmit_timer (net/ipv4/tcp_timer.c:542 (discriminator 7))\nCode: 41 55 41 54 55 53 48 8b af b8 08 00 00 48 89 fb 48 85 ed 0f 84 55 01 00 00 0f b6 47 12 3c 03 74 0c 0f b6 47 12 3c 04 74 04 90 \u003c0f\u003e 0b 90 48 8b 85 c0 00 00 00 48 89 ef 48 8b 40 30 e8 6a 4f 06 3e\nRSP: 0018:ffffc900002f8d40 EFLAGS: 00010293\nRAX: 0000000000000002 RBX: ffff888106911400 RCX: 0000000000000017\nRDX: 0000000002517619 RSI: ffffffff83764080 RDI: ffff888106911400\nRBP: ffff888106d5c000 R08: 0000000000000001 R09: ffffc900002f8de8\nR10: 00000000000000c2 R11: ffffc900002f8ff8 R12: ffff888106911540\nR13: ffff888106911480 R14: ffff888106911840 R15: ffffc900002f8de0\nFS:  0000000000000000(0000) GS:ffff88907b768000(0000) knlGS:0000000000000000\nCS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00007f8044d69d90 CR3: 0000000002c30003 CR4: 0000000000370ef0\nCall Trace:\n \u003cIRQ\u003e\n tcp_write_timer (net/ipv4/tcp_timer.c:738)\n call_timer_fn (kernel/time/timer.c:1747)\n __run_timers (kernel/time/timer.c:1799 kernel/time/timer.c:2372)\n timer_expire_remote (kernel/time/timer.c:2385 kernel/time/timer.c:2376 kernel/time/timer.c:2135)\n tmigr_handle_remote_up (kernel/time/timer_migration.c:944 kernel/time/timer_migration.c:1035)\n __walk_groups.isra.0 (kernel/time/timer_migration.c:533 (discriminator 1))\n tmigr_handle_remote (kernel/time/timer_migration.c:1096)\n handle_softirqs (./arch/x86/include/asm/jump_label.h:36 ./include/trace/events/irq.h:142 kernel/softirq.c:580)\n irq_exit_rcu (kernel/softirq.c:614 kernel/softirq.c:453 kernel/softirq.c:680 kernel/softirq.c:696)\n sysvec_apic_timer_interrupt (arch/x86/kernel/apic/apic.c:1050 (discriminator 35) arch/x86/kernel/apic/apic.c:1050 (discriminator 35))\n \u003c/IRQ\u003e","modified":"2026-03-20T12:43:07.143498Z","published":"2025-10-09T09:47:33.556Z","related":["ALSA-2025:21931","ALSA-2025:22387","ALSA-2025:22388","ALSA-2025:22405","MGASA-2025-0309","MGASA-2025-0310","SUSE-SU-2025:21040-1","SUSE-SU-2025:21052-1","SUSE-SU-2025:21056-1","SUSE-SU-2025:21064-1","SUSE-SU-2025:21080-1","SUSE-SU-2025:21147-1","SUSE-SU-2025:21180-1","SUSE-SU-2025:4057-1","SUSE-SU-2025:4128-1","SUSE-SU-2025:4132-1","SUSE-SU-2025:4140-1","SUSE-SU-2025:4141-1","SUSE-SU-2025:4189-1","SUSE-SU-2025:4301-1","openSUSE-SU-2025:20091-1"],"database_specific":{"cna_assigner":"Linux","osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/39xxx/CVE-2025-39955.json"},"references":[{"type":"WEB","url":"https://git.kernel.org/stable/c/17d699727577814198d744d6afe54735c6b54c99"},{"type":"WEB","url":"https://git.kernel.org/stable/c/33a4fdf0b4a25f8ce65380c3b0136b407ca57609"},{"type":"WEB","url":"https://git.kernel.org/stable/c/45c8a6cc2bcd780e634a6ba8e46bffbdf1fc5c01"},{"type":"WEB","url":"https://git.kernel.org/stable/c/7ec092a91ff351dcde89c23e795b73a328274db6"},{"type":"WEB","url":"https://git.kernel.org/stable/c/a4378dedd6e07e62f2fccb17d78c9665718763d0"},{"type":"WEB","url":"https://git.kernel.org/stable/c/ae313d14b45eca7a6bb29cb9bf396d977e7d28fb"},{"type":"WEB","url":"https://git.kernel.org/stable/c/dfd06131107e7b699ef1e2a24ed2f7d17c917753"},{"type":"WEB","url":"https://git.kernel.org/stable/c/fa4749c065644af4db496b338452a69a3e5147d9"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/39xxx/CVE-2025-39955.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-39955"},{"type":"PACKAGE","url":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"8336886f786fdacbc19b719c1f7ea91eb70706d4"},{"fixed":"7ec092a91ff351dcde89c23e795b73a328274db6"},{"fixed":"a4378dedd6e07e62f2fccb17d78c9665718763d0"},{"fixed":"33a4fdf0b4a25f8ce65380c3b0136b407ca57609"},{"fixed":"17d699727577814198d744d6afe54735c6b54c99"},{"fixed":"dfd06131107e7b699ef1e2a24ed2f7d17c917753"},{"fixed":"fa4749c065644af4db496b338452a69a3e5147d9"},{"fixed":"ae313d14b45eca7a6bb29cb9bf396d977e7d28fb"},{"fixed":"45c8a6cc2bcd780e634a6ba8e46bffbdf1fc5c01"}]}],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-39955.json"}}],"schema_version":"1.7.5"}