[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"repo-stars":3,"vuln-DEBIAN-CVE-2025-38464":6},{"stargazers_count":4,"fetched_at":5},7,"2026-06-04T14:53:31.930Z",{"id":7,"descriptions":8,"cisa":9,"weaknesses":10,"exploits":11,"aliases":12,"duplicate_of":9,"upstream":13,"downstream":16,"duplicates":25,"related":26,"reserved_at":9,"published_at":27,"modified_at":28,"state":9,"summary":29,"references_raw":31,"kevs":38,"epss":9,"epss_history":39,"metrics":40,"affected":47},"DEBIAN-CVE-2025-38464","In the Linux kernel, the following vulnerability has been resolved:  tipc: Fix use-after-free in tipc_conn_close().  syzbot reported a null-ptr-deref in tipc_conn_close() during netns dismantle. [0]  tipc_topsrv_stop() iterates tipc_net(net)->topsrv->conn_idr and calls tipc_conn_close() for each tipc_conn.  The problem is that tipc_conn_close() is called after releasing the IDR lock.  At the same time, there might be tipc_conn_recv_work() running and it could call tipc_conn_close() for the same tipc_conn and release its last ->kref.  Once we release the IDR lock in tipc_topsrv_stop(), there is no guarantee that the tipc_conn is alive.  Let's hold the ref before releasing the lock and put the ref after tipc_conn_close() in tipc_topsrv_stop().  [0]: BUG: KASAN: use-after-free in tipc_conn_close+0x122/0x140 net/tipc/topsrv.c:165 Read of size 8 at addr ffff888099305a08 by task kworker/u4:3/435  CPU: 0 PID: 435 Comm: kworker/u4:3 Not tainted 4.19.204-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Workqueue: netns cleanup_net Call Trace:  __dump_stack lib/dump_stack.c:77 [inline]  dump_stack+0x1fc/0x2ef lib/dump_stack.c:118  print_address_description.cold+0x54/0x219 mm/kasan/report.c:256  kasan_report_error.cold+0x8a/0x1b9 mm/kasan/report.c:354  kasan_report mm/kasan/report.c:412 [inline]  __asan_report_load8_noabort+0x88/0x90 mm/kasan/report.c:433  tipc_conn_close+0x122/0x140 net/tipc/topsrv.c:165  tipc_topsrv_stop net/tipc/topsrv.c:701 [inline]  tipc_topsrv_exit_net+0x27b/0x5c0 net/tipc/topsrv.c:722  ops_exit_list+0xa5/0x150 net/core/net_namespace.c:153  cleanup_net+0x3b4/0x8b0 net/core/net_namespace.c:553  process_one_work+0x864/0x1570 kernel/workqueue.c:2153  worker_thread+0x64c/0x1130 kernel/workqueue.c:2296  kthread+0x33f/0x460 kernel/kthread.c:259  ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:415  Allocated by task 23:  kmem_cache_alloc_trace+0x12f/0x380 mm/slab.c:3625  kmalloc include/linux/slab.h:515 [inline]  kzalloc include/linux/slab.h:709 [inline]  tipc_conn_alloc+0x43/0x4f0 net/tipc/topsrv.c:192  tipc_topsrv_accept+0x1b5/0x280 net/tipc/topsrv.c:470  process_one_work+0x864/0x1570 kernel/workqueue.c:2153  worker_thread+0x64c/0x1130 kernel/workqueue.c:2296  kthread+0x33f/0x460 kernel/kthread.c:259  ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:415  Freed by task 23:  __cache_free mm/slab.c:3503 [inline]  kfree+0xcc/0x210 mm/slab.c:3822  tipc_conn_kref_release net/tipc/topsrv.c:150 [inline]  kref_put include/linux/kref.h:70 [inline]  conn_put+0x2cd/0x3a0 net/tipc/topsrv.c:155  process_one_work+0x864/0x1570 kernel/workqueue.c:2153  worker_thread+0x64c/0x1130 kernel/workqueue.c:2296  kthread+0x33f/0x460 kernel/kthread.c:259  ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:415  The buggy address belongs to the object at ffff888099305a00  which belongs to the cache kmalloc-512 of size 512 The buggy address is located 8 bytes inside of  512-byte region [ffff888099305a00, ffff888099305c00) The buggy address belongs to the page: page:ffffea000264c140 count:1 mapcount:0 mapping:ffff88813bff0940 index:0x0 flags: 0xfff00000000100(slab) raw: 00fff00000000100 ffffea00028b6b88 ffffea0002cd2b08 ffff88813bff0940 raw: 0000000000000000 ffff888099305000 0000000100000006 0000000000000000 page dumped because: kasan: bad access detected  Memory state around the buggy address:  ffff888099305900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb  ffff888099305980: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc >ffff888099305a00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb                       ^  ffff888099305a80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb  ffff888099305b00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb",null,[],[],[],[14],{"_key":15},"CVE-2025-38464",[17,19,21,23],{"_key":18},"DLA-4327-1",{"_key":20},"DLA-4328-1",{"_key":22},"DSA-5973-1",{"_key":24},"DSA-5975-1",[],[],"2025-07-25T16:15:32.383Z","2026-04-28T20:29:58.548774Z",{"cisa_kev":30,"cisa_ransomware":30,"cisa_vendor":9,"epss_severity":9,"epss_score":9,"severity":9,"severity_score":9,"severity_version":9,"severity_source":9,"severity_vector":9,"severity_status":9},false,[32],{"url":33,"sources":34,"tags":36},"https://security-tracker.debian.org/tracker/CVE-2025-38464",[35],"osv_debian",[37],"Advisory",[],[],[41],{"source":35,"cvss_v2_0":9,"cvss_v3_0":9,"cvss_v3_1":42,"cvss_v4_0":9},{"baseScore":43,"baseSeverity":9,"vectorString":44,"impactScore":45,"exploitabilityScore":46},7.8,"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",9.8,4.6,[48,69],{"ecosystem":49,"name":50,"vendor":51,"product":50,"cpe_part":9,"purl_type":52,"purl_namespace":51,"purl_name":50,"source":9,"versions":53},"Debian","linux","debian","deb",[54,60,63,66],{"version":55,"is_range":56,"range_type":57,"version_start":9,"version_start_type":9,"version_end":58,"version_end_type":59,"fixed_in":9},"lt5_10_244_1",true,"ecosystem","5.10.244-1","excluding",{"version":61,"is_range":56,"range_type":57,"version_start":9,"version_start_type":9,"version_end":62,"version_end_type":59,"fixed_in":9},"lt6_1_147_1","6.1.147-1",{"version":64,"is_range":56,"range_type":57,"version_start":9,"version_start_type":9,"version_end":65,"version_end_type":59,"fixed_in":9},"lt6_12_41_1","6.12.41-1",{"version":67,"is_range":56,"range_type":57,"version_start":9,"version_start_type":9,"version_end":68,"version_end_type":59,"fixed_in":9},"lt6_16_3_1","6.16.3-1",{"ecosystem":49,"name":70,"vendor":51,"product":70,"cpe_part":9,"purl_type":52,"purl_namespace":51,"purl_name":70,"source":9,"versions":71},"linux-6.1",[72],{"version":73,"is_range":56,"range_type":57,"version_start":9,"version_start_type":9,"version_end":74,"version_end_type":59,"fixed_in":9},"lt6_1_153_1~deb11u1","6.1.153-1~deb11u1"]