Linux Kernel TCP Secpath and XFRM State Reference Management Vulnerability

A vulnerability in the Linux kernel's TCP implementation has been addressed. The issue arose from improper management of references between the TCP secpath and XFRM state during network namespace deletion. When a network namespace is removed, any lingering references from the secpath, which is attached to a socket buffer (skb), can lead to unexpected behavior. This vulnerability was particularly evident when the MPTCP extension was added to the skb, complicating the removal of all extensions. The problem was resolved by ensuring that the secpath is dropped concurrently with the skb's destination data, preventing the unintended retention of XFRM state references.

Impact

Exploitation of this vulnerability could lead to a warning being triggered in the XFRM tunnel net exit process, indicating a potential mishandling of network state references that could disrupt normal TCP operations.