CVE-2025-40018
Linux Kernel - Use-After-Free in IPVS FTP Connection Cleanup
Title source: llmDescription
In the Linux kernel, the following vulnerability has been resolved: ipvs: Defer ip_vs_ftp unregister during netns cleanup On the netns cleanup path, __ip_vs_ftp_exit() may unregister ip_vs_ftp before connections with valid cp->app pointers are flushed, leading to a use-after-free. Fix this by introducing a global `exiting_module` flag, set to true in ip_vs_ftp_exit() before unregistering the pernet subsystem. In __ip_vs_ftp_exit(), skip ip_vs_ftp unregister if called during netns cleanup (when exiting_module is false) and defer it to __ip_vs_cleanup_batch(), which unregisters all apps after all connections are flushed. If called during module exit, unregister ip_vs_ftp immediately.
References (8)
Core 8
Core References
Scores
EPSS
0.0019
EPSS Percentile
9.1%
Details
Status
published
Products (25)
linux/Kernel
2.6.39 - 5.4.301linux
linux/Kernel
5.11.0 - 5.15.195linux
linux/Kernel
5.16.0 - 6.1.156linux
linux/Kernel
5.5.0 - 5.10.246linux
linux/Kernel
6.13.0 - 6.17.3linux
linux/Kernel
6.2.0 - 6.6.112linux
linux/Kernel
6.7.0 - 6.12.53linux
Linux/Linux
< 2.6.39
Linux/Linux
2.6.39
Linux/Linux
5.10.246 - 5.10.*
... and 15 more
Published
Oct 24, 2025
Tracked Since
Feb 18, 2026