CVE intelligence and bounded remediation

CVE-2025-39852 — Linux Linux Kernel security vulnerability

Medium CVSS 5.5

In the Linux kernel, the following vulnerability has been resolved: net/tcp: Fix socket memory leak in TCP-AO failure handling for IPv6 When tcp_ao_copy_all_matching() fails in tcp_v6_syn_recv_sock() it just exits the function. This ends up causing a memory-leak: unreferenced object 0xffff0000281a8200 (size 2496): comm "softirq", pid 0, jiffies 4295174684 hex dump (first 32 bytes): 7f 00 00 06 7f 00 00 06 00 00 00 00 cb a8 88 13 ................ 0a 00 03 61 00 00 00 00 00 00 00 00 00 00 00 00 ...a............ backtrace (crc 5ebdbe15): kmemleak_alloc+0x44/0xe0 kmem_cache_alloc_noprof+0x248/0x470 sk_prot_alloc+0x48/0x120 sk_clone_lock+0x38/0x3b0 inet_csk_clone_lock+0x34/0x150 tcp_create_openreq_child+0x3c/0x4a8 tcp_v6_syn_recv_sock+0x1c0/0x620 tcp_check_req+0x588/0x790 tcp_v6_rcv+0x5d0/0xc18 ip6_protocol_deliver_rcu+0x2d8/0x4c0 ip6_input_finish+0x74/0x148 ip6_input+0x50/0x118 ip6_sublist_rcv+0x2fc/0x3b0 ipv6_list_rcv+0x114/0x170 __netif_receive_skb_list_core+0x16c/0x200 netif_receive_skb_list_internal+0x1f0/0x2d0 This is because in tcp_v6_syn_recv_sock (and the IPv4 counterpart), when exiting upon error, inet_csk_prepare_forced_close() and tcp_done() need to be called. They make sur…

Severity
Medium
CVSS
5.5 (3.1)
Published
2025-09-19
CISA KEV
Not currently listed
Ecosystem
linux/kernel
Weaknesses
CWE-401

Affected products

  • linux / linux_kernel
  • linux / linux_kernel / 6.17

Showing 2 representative product identities from 6 source matches. Confirm exact affected versions with the linked vendor and NVD evidence.

Matched remediation archetype

Resource exhaustion and denial of service

This catalog composition supplies bounded fallback guidance. Explicitly reviewed curated workflows load with the complete record below.

Check exposure

  • Identify attacker-influenced work factors including input size, nesting, compression, fan-out, regex cost, allocation, recursion, retries, and connection lifetime.
  • Map per-request and shared CPU, memory, disk, descriptor, thread, queue, and downstream-service limits.
  • Determine whether authentication, tenancy, quotas, and rate controls apply before expensive processing begins.

Remediate safely

  • Bound input size, nesting, expansion, work, concurrency, queue depth, retries, and execution time before resource-intensive processing.
  • Release resources on every success, error, cancellation, and timeout path and use backpressure instead of unbounded buffering.
  • Update affected components and add small deterministic tests that assert resource ceilings rather than exhausting a host.

Authoritative sources

Complete CVE record and remediation plan

The detailed catalog view below loads this exact record, its source evidence, and the full seven-phase agentic change plan.