{"id":"CVE-2025-40186","summary":"tcp: Don't call reqsk_fastopen_remove() in tcp_conn_request().","details":"In the Linux kernel, the following vulnerability has been resolved:\n\ntcp: Don't call reqsk_fastopen_remove() in tcp_conn_request().\n\nsyzbot reported the splat below in tcp_conn_request(). [0]\n\nIf a listener is close()d while a TFO socket is being processed in\ntcp_conn_request(), inet_csk_reqsk_queue_add() does not set reqsk-\u003esk\nand calls inet_child_forget(), which calls tcp_disconnect() for the\nTFO socket.\n\nAfter the cited commit, tcp_disconnect() calls reqsk_fastopen_remove(),\nwhere reqsk_put() is called due to !reqsk-\u003esk.\n\nThen, reqsk_fastopen_remove() in tcp_conn_request() decrements the\nlast req-\u003ersk_refcnt and frees reqsk, and __reqsk_free() at the\ndrop_and_free label causes the refcount underflow for the listener\nand double-free of the reqsk.\n\nLet's remove reqsk_fastopen_remove() in tcp_conn_request().\n\nNote that other callers make sure tp-\u003efastopen_rsk is not NULL.\n\n[0]:\nrefcount_t: underflow; use-after-free.\nWARNING: CPU: 12 PID: 5563 at lib/refcount.c:28 refcount_warn_saturate (lib/refcount.c:28)\nModules linked in:\nCPU: 12 UID: 0 PID: 5563 Comm: syz-executor Not tainted syzkaller #0 PREEMPT(full)\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/12/2025\nRIP: 0010:refcount_warn_saturate (lib/refcount.c:28)\nCode: ab e8 8e b4 98 ff 0f 0b c3 cc cc cc cc cc 80 3d a4 e4 d6 01 00 75 9c c6 05 9b e4 d6 01 01 48 c7 c7 e8 df fb ab e8 6a b4 98 ff \u003c0f\u003e 0b e9 03 5b 76 00 cc 80 3d 7d e4 d6 01 00 0f 85 74 ff ff ff c6\nRSP: 0018:ffffa79fc0304a98 EFLAGS: 00010246\nRAX: d83af4db1c6b3900 RBX: ffff9f65c7a69020 RCX: d83af4db1c6b3900\nRDX: 0000000000000000 RSI: 00000000ffff7fff RDI: ffffffffac78a280\nRBP: 000000009d781b60 R08: 0000000000007fff R09: ffffffffac6ca280\nR10: 0000000000017ffd R11: 0000000000000004 R12: ffff9f65c7b4f100\nR13: ffff9f65c7d23c00 R14: ffff9f65c7d26000 R15: ffff9f65c7a64ef8\nFS:  00007f9f962176c0(0000) GS:ffff9f65fcf00000(0000) knlGS:0000000000000000\nCS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 0000200000000180 CR3: 000000000dbbe006 CR4: 0000000000372ef0\nCall Trace:\n \u003cIRQ\u003e\n tcp_conn_request (./include/linux/refcount.h:400 ./include/linux/refcount.h:432 ./include/linux/refcount.h:450 ./include/net/sock.h:1965 ./include/net/request_sock.h:131 net/ipv4/tcp_input.c:7301)\n tcp_rcv_state_process (net/ipv4/tcp_input.c:6708)\n tcp_v6_do_rcv (net/ipv6/tcp_ipv6.c:1670)\n tcp_v6_rcv (net/ipv6/tcp_ipv6.c:1906)\n ip6_protocol_deliver_rcu (net/ipv6/ip6_input.c:438)\n ip6_input (net/ipv6/ip6_input.c:500)\n ipv6_rcv (net/ipv6/ip6_input.c:311)\n __netif_receive_skb (net/core/dev.c:6104)\n process_backlog (net/core/dev.c:6456)\n __napi_poll (net/core/dev.c:7506)\n net_rx_action (net/core/dev.c:7569 net/core/dev.c:7696)\n handle_softirqs (kernel/softirq.c:579)\n do_softirq (kernel/softirq.c:480)\n \u003c/IRQ\u003e","modified":"2026-04-02T12:48:18.958430Z","published":"2025-11-12T21:56:29.033Z","related":["SUSE-SU-2025:4393-1","SUSE-SU-2025:4422-1","SUSE-SU-2025:4505-1","SUSE-SU-2025:4515-1","SUSE-SU-2025:4516-1","SUSE-SU-2025:4517-1","SUSE-SU-2025:4521-1","SUSE-SU-2026:0487-1","SUSE-SU-2026:0489-1","SUSE-SU-2026:0490-1","SUSE-SU-2026:0491-1","SUSE-SU-2026:0515-1","SUSE-SU-2026:0518-1","SUSE-SU-2026:0521-1","SUSE-SU-2026:0524-1","SUSE-SU-2026:0525-1","SUSE-SU-2026:0543-1","SUSE-SU-2026:0546-1","SUSE-SU-2026:0548-1","SUSE-SU-2026:0550-1","SUSE-SU-2026:0551-1","SUSE-SU-2026:0554-1","SUSE-SU-2026:0555-1","SUSE-SU-2026:0556-1","SUSE-SU-2026:0557-1","SUSE-SU-2026:0560-1","SUSE-SU-2026:0561-1","SUSE-SU-2026:20012-1","SUSE-SU-2026:20015-1","SUSE-SU-2026:20021-1","SUSE-SU-2026:20039-1","SUSE-SU-2026:20059-1","SUSE-SU-2026:20455-1","SUSE-SU-2026:20456-1","SUSE-SU-2026:20457-1","SUSE-SU-2026:20458-1","SUSE-SU-2026:20459-1","SUSE-SU-2026:20460-1","SUSE-SU-2026:20461-1","SUSE-SU-2026:20462-1","SUSE-SU-2026:20463-1","SUSE-SU-2026:20464-1","SUSE-SU-2026:20465-1","SUSE-SU-2026:20466-1","SUSE-SU-2026:20467-1","SUSE-SU-2026:20468-1","SUSE-SU-2026:20469-1","SUSE-SU-2026:20470-1","SUSE-SU-2026:20471-1","SUSE-SU-2026:20472-1","SUSE-SU-2026:20473-1","SUSE-SU-2026:20496-1","SUSE-SU-2026:20499-1","SUSE-SU-2026:20500-1","SUSE-SU-2026:20501-1","SUSE-SU-2026:20502-1","SUSE-SU-2026:20503-1","SUSE-SU-2026:20504-1","SUSE-SU-2026:20505-1","SUSE-SU-2026:20506-1","SUSE-SU-2026:20507-1","SUSE-SU-2026:20508-1","SUSE-SU-2026:20511-1","SUSE-SU-2026:20512-1","SUSE-SU-2026:20513-1","SUSE-SU-2026:20514-1","SUSE-SU-2026:20515-1","SUSE-SU-2026:20516-1","SUSE-SU-2026:20517-1","SUSE-SU-2026:20518-1","SUSE-SU-2026:20541-1","SUSE-SU-2026:20558-1","SUSE-SU-2026:20606-1","SUSE-SU-2026:20635-1","SUSE-SU-2026:20644-1","SUSE-SU-2026:20645-1","openSUSE-SU-2025:20172-1"],"database_specific":{"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/40xxx/CVE-2025-40186.json","cna_assigner":"Linux"},"references":[{"type":"WEB","url":"https://git.kernel.org/stable/c/2e7cbbbe3d61c63606994b7ff73c72537afe2e1c"},{"type":"WEB","url":"https://git.kernel.org/stable/c/422c1c173c39bbbae1e0eaaf8aefe40b2596233b"},{"type":"WEB","url":"https://git.kernel.org/stable/c/643a94b0cf767325e953591c212be2eb826b9d7f"},{"type":"WEB","url":"https://git.kernel.org/stable/c/64dc47a13aa3d9daf7cec29b44dca8e22a6aea15"},{"type":"WEB","url":"https://git.kernel.org/stable/c/c11ace909e873118295e9eb22dc8c58b0b50eb32"},{"type":"WEB","url":"https://git.kernel.org/stable/c/e359b742eac1eac75cff4e38ee2e8cea492acd9b"},{"type":"WEB","url":"https://git.kernel.org/stable/c/eb85ad5f23268d64b037bfb545cbcba3752f90c7"},{"type":"WEB","url":"https://git.kernel.org/stable/c/ff6a8883f96a5bc74241ce5b3d431a6dcfa2124d"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/40xxx/CVE-2025-40186.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-40186"},{"type":"PACKAGE","url":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"7ec092a91ff351dcde89c23e795b73a328274db6"},{"fixed":"e359b742eac1eac75cff4e38ee2e8cea492acd9b"}]},{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"a4378dedd6e07e62f2fccb17d78c9665718763d0"},{"fixed":"ff6a8883f96a5bc74241ce5b3d431a6dcfa2124d"}]},{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"33a4fdf0b4a25f8ce65380c3b0136b407ca57609"},{"fixed":"eb85ad5f23268d64b037bfb545cbcba3752f90c7"}]},{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"17d699727577814198d744d6afe54735c6b54c99"},{"fixed":"643a94b0cf767325e953591c212be2eb826b9d7f"}]},{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"dfd06131107e7b699ef1e2a24ed2f7d17c917753"},{"fixed":"422c1c173c39bbbae1e0eaaf8aefe40b2596233b"}]},{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"fa4749c065644af4db496b338452a69a3e5147d9"},{"fixed":"c11ace909e873118295e9eb22dc8c58b0b50eb32"}]},{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"45c8a6cc2bcd780e634a6ba8e46bffbdf1fc5c01"},{"fixed":"64dc47a13aa3d9daf7cec29b44dca8e22a6aea15"},{"fixed":"2e7cbbbe3d61c63606994b7ff73c72537afe2e1c"}]},{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"0"},{"last_affected":"ae313d14b45eca7a6bb29cb9bf396d977e7d28fb"}]}],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-40186.json"}},{"package":{"name":"Kernel","ecosystem":"Linux"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"5.4.301"}]},{"type":"ECOSYSTEM","events":[{"introduced":"5.5.0"},{"fixed":"5.10.246"}]},{"type":"ECOSYSTEM","events":[{"introduced":"5.11.0"},{"fixed":"5.15.195"}]},{"type":"ECOSYSTEM","events":[{"introduced":"5.16.0"},{"fixed":"6.1.157"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.2.0"},{"fixed":"6.6.113"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.7.0"},{"fixed":"6.12.54"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.13.0"},{"fixed":"6.17.4"}]}],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-40186.json"}}],"schema_version":"1.7.5"}