Linux Kernel Use-After-Free: ip_vs_ftp netns cleanup path
CVE-2025-40018 Published on October 24, 2025
ipvs: Defer ip_vs_ftp unregister during netns cleanup
In the Linux kernel, the following vulnerability has been resolved:
ipvs: Defer ip_vs_ftp unregister during netns cleanup
On the netns cleanup path, __ip_vs_ftp_exit() may unregister ip_vs_ftp
before connections with valid cp->app pointers are flushed, leading to a
use-after-free.
Fix this by introducing a global `exiting_module` flag, set to true in
ip_vs_ftp_exit() before unregistering the pernet subsystem. In
__ip_vs_ftp_exit(), skip ip_vs_ftp unregister if called during netns
cleanup (when exiting_module is false) and defer it to
__ip_vs_cleanup_batch(), which unregisters all apps after all connections
are flushed. If called during module exit, unregister ip_vs_ftp
immediately.
Products Associated with CVE-2025-40018
stack.watch emails you whenever new vulnerabilities are published in Linux Kernel or Canonical Ubuntu Linux. Just hit a watch button to start following.
Affected Versions
Linux:- Version 61b1ab4583e275af216c8454b9256de680499b19 and below 8a6ecab3847c213ce2855b0378e63ce839085de3 is affected.
- Version 61b1ab4583e275af216c8454b9256de680499b19 and below 421b1ae1574dfdda68b835c15ac4921ec0030182 is affected.
- Version 61b1ab4583e275af216c8454b9256de680499b19 and below 1d79471414d7b9424d699afff2aa79fff322f52d is affected.
- Version 61b1ab4583e275af216c8454b9256de680499b19 and below 53717f8a4347b78eac6488072ad8e5adbaff38d9 is affected.
- Version 61b1ab4583e275af216c8454b9256de680499b19 and below 8cbe2a21d85727b66d7c591fd5d83df0d8c4f757 is affected.
- Version 61b1ab4583e275af216c8454b9256de680499b19 and below dc1a481359a72ee7e548f1f5da671282a7c13b8f is affected.
- Version 61b1ab4583e275af216c8454b9256de680499b19 and below a343811ef138a265407167294275201621e9ebb2 is affected.
- Version 61b1ab4583e275af216c8454b9256de680499b19 and below 134121bfd99a06d44ef5ba15a9beb075297c0821 is affected.
- Version 2.6.39 is affected.
- Before 2.6.39 is unaffected.
- Version 5.4.301, <= 5.4.* is unaffected.
- Version 5.10.246, <= 5.10.* is unaffected.
- Version 5.15.195, <= 5.15.* is unaffected.
- Version 6.1.156, <= 6.1.* is unaffected.
- Version 6.6.112, <= 6.6.* is unaffected.
- Version 6.12.53, <= 6.12.* is unaffected.
- Version 6.17.3, <= 6.17.* is unaffected.
- Version 6.18, <= * is unaffected.
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.