Linux Kernel XFRM Policy Work Synchronization Vulnerability

A vulnerability in the Linux kernel's XFRM (IPsec) subsystem can lead to a use-after-free issue. When a new security policy database (SPD) information message is received, it can schedule a work item that processes policy hash table thresholds. If the network namespace is deleted before this work item is executed, it may access freed memory, causing potential instability or exploitation. Although the policy hash work is flushed during network namespace teardown, this synchronization does not extend to the policy threshold work, creating a race condition. The vulnerability affects the Linux kernel stable tree.

Impact

Exploitation of this vulnerability can lead to a use-after-free condition, where the system dereferences memory that has already been freed. This can cause undefined behavior, such as memory corruption or crashes, and may be exploitable to execute arbitrary code.

Reproduction

To reproduce this vulnerability, send an XFRM_MSG_NEWSPDINFO request while simultaneously tearing down the network namespace. The queued work item will attempt to access the network structure, which may have already been freed, leading to a use-after-free condition.

Remediation

The vulnerability has been fixed in the Linux kernel. Users should upgrade to the latest version.