CVE-2025-39852 | net/tcp: Fix socket memory leak in TCP-AO failure handling for IPv6

In the Linux kernel, the following vulnerability has been resolved: net/tcp: Fix socket memory leak in TCP-AO failure handling for IPv6 When tcp_ao_copy_all_matching() fails in tcp_v6_syn_recv_sock() it just exits the function. This ends up causing a memory-leak: unreferenced object 0xffff0000281a8200 (size 2496): comm "softirq", pid 0, jiffies 4295174684 hex dump (first 32 bytes): 7f 00 00 06 7f 00 00 06 00 00 00 00 cb a8 88 13 ................ 0a 00 03 61 00 00 00 00 00 00 00 00 00 00 00 00 ...a............ backtrace (crc 5ebdbe15): kmemleak_alloc+0x44/0xe0 kmem_cache_alloc_noprof+0x248/0x470 sk_prot_alloc+0x48/0x120 sk_clone_lock+0x38/0x3b0 inet_csk_clone_lock+0x34/0x150 tcp_create_openreq_child+0x3c/0x4a8 tcp_v6_syn_recv_sock+0x1c0/0x620 tcp_check_req+0x588/0x790 tcp_v6_rcv+0x5d0/0xc18 ip6_protocol_deliver_rcu+0x2d8/0x4c0 ip6_input_finish+0x74/0x148 ip6_input+0x50/0x118 ip6_sublist_rcv+0x2fc/0x3b0 ipv6_list_rcv+0x114/0x170 __netif_receive_skb_list_core+0x16c/0x200 netif_receive_skb_list_internal+0x1f0/0x2d0 This is because in tcp_v6_syn_recv_sock (and the IPv4 counterpart), when exiting upon error, inet_csk_prepare_forced_close() and tcp_done() need to be called. They make sure the newsk will end up being correctly free'd. tcp_v4_syn_recv_sock() makes this very clear by having the put_and_exit label that takes care of things. So, this patch here makes sure tcp_v4_syn_recv_sock and tcp_v6_syn_recv_sock have similar error-handling and thus fixes the leak for TCP-AO.

Published: 2025-09-19 Last update: 2026-01-14 Assigner: 416baaa9-dc9f-4396-8d5f-8c081fb06d67 Source: 416baaa9-dc9f-4396-8d5f-8c081fb06d67
NVD Status:ModifiedCVE State: published
View at NVD, CVE.org, EUVD

CVE-2025-39852 is rated Low Risk (22.9/100): CVSS Medium severity, with low exploitation likelihood (EPSS 0.02%). Monitor for updates and reassess as exploit intelligence or EPSS changes.

Risk is dynamic; we continuously reassess and refresh what is shown on this page as upstream context changes.

Exploit prediction scoring system (EPSS) score for CVE-2025-39852

EPSS lead: Daily EPSS estimates relative likelihood of exploitation; percentile ranks this CVE among scored vulnerabilities (higher = more severe relative rank).

# Date Old EPSS score New EPSS score Delta (New - Old)
1 2025-09-20 0.02%

Full EPSS history (1 record total)

Common vulnerability scoring system (CVSS) metrics for CVE-2025-39852

CVSS metrics for this CVE.

Base score Version Severity Vector Exploitability Impact Score source
5.5 3.1 MEDIUM
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H Click to expand
Attack vector (AV:L)
They already need access on the box, or another person has to do something wrong; it’s not a remote drive-by.
Attack complexity (AC:L)
Once they can reach the bug, pulling it off is straightforward—no weird race conditions or rare setup.
Privileges required (PR:L)
A normal user session is enough; they don’t have to be admin.
User interaction (UI:N)
Nobody has to click “OK” or open a trap file; it can work without a victim helping.
Scope (S:U)
Damage stays in the same “trust bubble” as the broken component—no big spill into unrelated systems.
Confidentiality (C:N)
Doesn’t really leak secrets in a meaningful way.
Integrity (I:N)
Data isn’t meaningfully altered or forged.
Availability (A:H)
Could take the service down hard or make it unusable for people who depend on it.
 1.8 3.6 [email protected]
5.5 3.1 MEDIUM
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H Click to expand
Attack vector (AV:L)
They already need access on the box, or another person has to do something wrong; it’s not a remote drive-by.
Attack complexity (AC:L)
Once they can reach the bug, pulling it off is straightforward—no weird race conditions or rare setup.
Privileges required (PR:L)
A normal user session is enough; they don’t have to be admin.
User interaction (UI:N)
Nobody has to click “OK” or open a trap file; it can work without a victim helping.
Scope (S:U)
Damage stays in the same “trust bubble” as the broken component—no big spill into unrelated systems.
Confidentiality (C:N)
Doesn’t really leak secrets in a meaningful way.
Integrity (I:N)
Data isn’t meaningfully altered or forged.
Availability (A:H)
Could take the service down hard or make it unusable for people who depend on it.
 1.8 3.6 134c704f-9b21-4f2e-91b3-4a467353bcc0

Weakness enumeration for CVE-2025-39852

OS Trackers for CVE-2025-39852

vendor priority summary link
debian unimportant CVE-2025-39852 unimportant priority: Debian including 1 source packages (linux), 5 status rows across 5 suites (bookworm, bullseye, forky, sid, trixie): resolved 5. https://security-tracker.debian.org/tracker/CVE-2025-39852
redhat medium https://access.redhat.com/security/cve/CVE-2025-39852
suse medium CVE-2025-39852 severity moderate: SUSE including 94 source package names (cluster-md-kmp-64kb-6.12.0-160000.6.1, cluster-md-kmp-default, …), 450 product×package rows across 82 product lines (Image SLES-Azure-3P, Image SLES-Azure-Basic, … (82 product lines)): Known Not Affected 252, Fixed 177, First Fixed 21. https://www.suse.com/security/cve/CVE-2025-39852/
ubuntu medium CVE-2025-39852 medium priority: Ubuntu including 158 source packages (linux, linux-allwinner-5.19, …), 1414 status rows across 9 suites (bionic, focal, jammy, noble, plucky, questing, trusty, upstream, xenial): DNE 1017, ignored 176, released 117, not-affected 95, needed 5, needs-triage 2, pending 2. https://ubuntu.com/security/CVE-2025-39852

Affected software / configurations for CVE-2025-39852

Vendor Product Version Raw CPE
linux linux_kernel >= 6.7, < 6.12.46 cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
linux linux_kernel >= 6.13, < 6.16.6 cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
linux linux_kernel 6.17 cpe:2.3:o:linux:linux_kernel:6.17:rc1:*:*:*:*:*:*
linux linux_kernel 6.17 cpe:2.3:o:linux:linux_kernel:6.17:rc2:*:*:*:*:*:*
linux linux_kernel 6.17 cpe:2.3:o:linux:linux_kernel:6.17:rc3:*:*:*:*:*:*
linux linux_kernel 6.17 cpe:2.3:o:linux:linux_kernel:6.17:rc4:*:*:*:*:*:*

References for CVE-2025-39852

cvelogic Threat Intelligence