CVE-2025-21864: 
Linux Kernel vulnerability analysis and mitigation

CVE-2025-21864 is a vulnerability in the Linux kernel's TCP implementation discovered in March 2025. The issue involves improper handling of secpath references when dropping network namespace resources, specifically affecting TCP connections over ipcomp6. The vulnerability was initially reported by Xiumei Mu and received a CVSS v3.1 base score of 5.5 (Medium) (NVD).

The vulnerability occurs when an skb (socket buffer) with a secpath reference is deferred for freeing on a CPU's deferlist, and the network namespace is deleted before the list is flushed. This results in a lingering reference to xfrmstate through the secpath, which remains attached to the skb. The issue manifests specifically during TCP tests over ipcomp6 when creating and deleting network namespace pairs. The vulnerability is classified as CWE-476 (NULL Pointer Dereference) and affects Linux kernel versions from 5.19 to 6.13.5 (NVD).

The vulnerability can lead to a warning in xfrm6tunnelnetexit and potential resource leaks when network namespaces are deleted. While the skb itself is not leaked and eventually ends up in skreceivequeue for deferred freeing, the lingering reference to xfrmstate can cause unexpected behavior during network namespace cleanup (Kernel Patch).

The issue has been fixed by modifying the TCP receive path to drop the secpath at the same time as the dst is dropped. The fix ensures that the secpath is reset after the LSM hooks have completed their operations but before the MPTCP extension is attached to the skb. The patch has been integrated into multiple kernel versions through the stable tree (Kernel Patch).