CVE-2025-40018: 
Linux Kernel vulnerability analysis and mitigation

CVE-2025-40018 is a vulnerability discovered in the Linux kernel's IPVS (IP Virtual Server) module, specifically related to the FTP connection handling. The vulnerability was disclosed on October 24, 2025, affecting various Linux distributions and their kernel versions (NVD, Ubuntu).

The vulnerability occurs in the netns cleanup path where _ipvsftpexit() may unregister ipvsftp before connections with valid cp->app pointers are flushed, leading to a use-after-free condition. The issue specifically relates to the timing of the FTP module unregistration during network namespace cleanup operations (NVD).

The vulnerability affects multiple Linux distributions including Ubuntu's various releases (noble, jammy, plucky, and questing) and Debian's releases (bullseye, bookworm, trixie, and forky). The impact extends to different kernel variants including standard, AWS, Azure, and GCP configurations (Ubuntu, Debian).

A fix has been implemented by introducing a global exiting_module flag, which is set to true in ipvsftpexit() before unregistering the pernet subsystem. The _ipvsftpexit() function now skips ipvsftp unregister during netns cleanup when exitingmodule is false and defers it to _ipvscleanupbatch(), which unregisters all apps after all connections are flushed (NVD).