Overview
CVE-2025-40215 addresses a vulnerability in the Linux kernel’s XFRM (XFRM framework) subsystem. This vulnerability involves the improper handling of IPcomp fallback tunnels, potentially leading to stale entries and triggering warnings within the kernel. The fix ensures that fallback states are deleted promptly when the last user state depending on them is removed, preventing resource leaks and potential instability.
Technical Details
The issue arises because IPcomp fallback tunnels were previously being deleted only when the last *user state that *needed* that fallback is destroyed, not deleted from hashtables/lists immediately. This meant that if a reference to that user state persisted (e.g., due to delayed freeing of sk_buffs or IP reassembly queues), the fallback state would remain on the hashtables/lists, triggering a WARN in xfrm_state_fini. This incomplete deletion was preventing the complete fix from commit f75a2804da39 (“xfrm: destroy xfrm_state synchronously on net exit path”).
The vulnerability could manifest due to sk_buffs holding a secpath (security path) remaining on reassembly queues until the network namespace (netns) is destroyed. The patch addresses this by deleting the fallback state as soon as the last user state depending on it has been deleted. A separate lockdep class is implemented for the fallback state to prevent locking conflicts.
CVSS Analysis
Currently, a CVSS score is not available (N/A) for CVE-2025-40215. However, while not a high-severity exploit, leaving stale XFRM state can lead to resource exhaustion and potential denial-of-service conditions. The severity can vary depending on the specific kernel configuration and workload.
Possible Impact
The primary impact is related to resource consumption and potential kernel instability. Stale XFRM states can accumulate, consuming memory. While not directly leading to remote code execution, this vulnerability can contribute to system degradation and, in extreme cases, denial-of-service conditions. The WARN messages triggered by the stale states also indicate an unhealthy system state.
Mitigation or Patch Steps
The recommended mitigation is to apply the patch that resolves CVE-2025-40215. This patch is available in the linked commit. For systems that cannot be immediately patched, monitoring XFRM state and rebooting periodically to clear stale entries can provide a temporary workaround, although this is not a substitute for applying the proper fix.
