In the Linux kernel, the following vulnerability has been resolved: net: tipc: fix refcount warning in tipc_aead_encrypt syzbot reported a refcount warning [1] caused by calling get_net() on a network namespace that is being destroyed (refcount=0). This happens when a TIPC discovery timer fires during network namespace cleanup. The recently added get_net() call in commit e279024617134 ("net/tipc: fix slab-use-after-free Read in tipc_aead_encrypt_done") attempts to hold a reference to the network namespace. However, if the namespace is already being destroyed, its refcount might be zero, leading to the use-after-free warning. Replace get_net() with maybe_get_net(), which safely checks if the refcount is non-zero before incrementing it. If the namespace is being destroyed, return -ENODEV early, after releasing the bearer reference. [1]: https://lore.kernel.org/all/[email protected]/T/#m12019cf9ae77e1954f666914640efa36d52704a2
2025-07-10T08:15:25.530
2025-12-18T16:58:02.433
Analyzed
416baaa9-dc9f-4396-8d5f-8c081fb06d67
CVSSv3.1: 5.5 (MEDIUM)
| Type | Vendor | Product | Version/Range | Vulnerable? |
|---|---|---|---|---|
| Operating System | linux | linux_kernel | < 6.12.34 | Yes |
| Operating System | linux | linux_kernel | < 6.15 | Yes |
| Operating System | linux | linux_kernel | < 6.15.3 | Yes |
| Operating System | linux | linux_kernel | 5.10.238 | Yes |
| Operating System | linux | linux_kernel | 5.15.185 | Yes |
| Operating System | linux | linux_kernel | 6.1.141 | Yes |
| Operating System | linux | linux_kernel | 6.6.93 | Yes |
| Operating System | linux | linux_kernel | 6.15 | Yes |
| Operating System | debian | debian_linux | 11.0 | Yes |