vulnerability
Ubuntu: (Multiple Advisories) (CVE-2025-21926): Linux kernel vulnerabilities
Severity | CVSS | Published | Added | Modified |
---|---|---|---|---|
5 | (AV:L/AC:L/Au:S/C:N/I:N/A:C) | Apr 1, 2025 | May 20, 2025 | Jun 3, 2025 |
Description
In the Linux kernel, the following vulnerability has been resolved:
net: gso: fix ownership in __udp_gso_segment
In __udp_gso_segment the skb destructor is removed before segmenting the
skb but the socket reference is kept as-is. This is an issue if the
original skb is later orphaned as we can hit the following bug:
kernel BUG at ./include/linux/skbuff.h:3312! (skb_orphan)
RIP: 0010:ip_rcv_core+0x8b2/0xca0
Call Trace:
ip_rcv+0xab/0x6e0
__netif_receive_skb_one_core+0x168/0x1b0
process_backlog+0x384/0x1100
__napi_poll.constprop.0+0xa1/0x370
net_rx_action+0x925/0xe50
The above can happen following a sequence of events when using
OpenVSwitch, when an OVS_ACTION_ATTR_USERSPACE action precedes an
OVS_ACTION_ATTR_OUTPUT action:
1. OVS_ACTION_ATTR_USERSPACE is handled (in do_execute_actions): the skb
goes through queue_gso_packets and then __udp_gso_segment, where its
destructor is removed.
2. The segments' data are copied and sent to userspace.
3. OVS_ACTION_ATTR_OUTPUT is handled (in do_execute_actions) and the
same original skb is sent to its path.
4. If it later hits skb_orphan, we hit the bug.
Fix this by also removing the reference to the socket in
__udp_gso_segment.
Solution(s)
References
- CVE-2025-21926
- https://attackerkb.com/topics/CVE-2025-21926
- UBUNTU-USN-7510-1
- UBUNTU-USN-7510-2
- UBUNTU-USN-7510-3
- UBUNTU-USN-7510-4
- UBUNTU-USN-7510-5
- UBUNTU-USN-7510-6
- UBUNTU-USN-7510-7
- UBUNTU-USN-7510-8
- UBUNTU-USN-7511-1
- UBUNTU-USN-7511-2
- UBUNTU-USN-7511-3
- UBUNTU-USN-7512-1
- UBUNTU-USN-7516-1
- UBUNTU-USN-7516-2
- UBUNTU-USN-7516-3
- UBUNTU-USN-7516-4
- UBUNTU-USN-7516-5
- UBUNTU-USN-7516-6
- UBUNTU-USN-7516-7
- UBUNTU-USN-7516-8
- UBUNTU-USN-7516-9
- UBUNTU-USN-7517-1
- UBUNTU-USN-7517-2
- UBUNTU-USN-7517-3
- UBUNTU-USN-7518-1
- UBUNTU-USN-7539-1
- UBUNTU-USN-7540-1

Explore Exposure Command
Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.