Overview
CVE-2025-40256 addresses a critical memory leak vulnerability within the Linux kernel’s XFRM (IPsec Transform Framework) subsystem. Specifically, the issue arises when an XFRM state creation fails after partial initialization. This can lead to a fallback tunnel being leaked, impacting system stability and security. The vulnerability affects various code paths, including add/update paths in net/key and xfrm, as well as the migrate code (xfrm_migrate, xfrm_state_migrate).
Technical Details
The root cause lies in a missing cleanup step during error handling within the XFRM state creation process. Commit b441cf3f8c4b (“xfrm: delete x->tunnel as we delete x”) aimed to address tunnel cleanup but overlooked scenarios where state creation fails between the init_state call and the state’s insertion into the relevant lists.
In these failure cases, the init_state function, particularly for IPcomp tunnels, creates and adds a fallback tunnel to the lists. However, because the user state creation fails before insertion, the standard __xfrm_state_delete path is not triggered. Consequently, xfrm_state_delete_tunnel is not called, leaving the fallback tunnel orphaned and leaking memory.
The fix involves calling xfrm_state_delete_tunnel during xfrm_state_gc_destroy. This ensures that all states, including those that failed to be fully initialized, have their fallback tunnels cleaned up during garbage collection. This complements the existing cleanup mechanism within __xfrm_state_delete, which handles the majority of cases.
CVSS Analysis
As reported, a CVSS score isn’t yet available. The severity is marked as N/A, likely due to the relatively contained nature of the memory leak and the difficulty in exploiting it for direct code execution. However, the potential for resource exhaustion and denial-of-service conditions warrants addressing this vulnerability promptly.
Possible Impact
The primary impact of this vulnerability is a memory leak within the kernel. While not directly exploitable for arbitrary code execution, a sustained leak can lead to:
- Resource Exhaustion: Over time, the leaked memory can consume available kernel memory, potentially leading to system instability and crashes.
- Denial of Service: If the memory leak is severe enough, it can trigger an out-of-memory (OOM) condition, forcing the kernel to terminate processes or even halt the system.
- Performance Degradation: Kernel memory pressure can lead to increased swapping and reduced overall system performance.
Mitigation and Patch Steps
The recommended mitigation is to apply the patch that addresses CVE-2025-40256. The fix is included in recent stable kernel releases. Check with your distribution vendor for specific kernel versions containing the patch. The relevant commits are:
- https://git.kernel.org/stable/c/10deb69864840ccf96b00ac2ab3a2055c0c04721
- https://git.kernel.org/stable/c/d6fe5c740c573af10943b8353992e1325cdb2715
Steps to mitigate this vulnerability:
- Identify Affected Systems: Determine which systems are running vulnerable kernel versions.
- Apply the Patch: Update the kernel to a patched version. This usually involves using your distribution’s package management system (e.g.,
apt,yum,dnf). - Reboot the System: After applying the patch, reboot the system to load the new kernel.
- Monitor for Memory Leaks: After patching, monitor system memory usage to ensure the leak has been resolved.
