[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"repo-stars":3,"vuln-DEBIAN-CVE-2025-40186":6},{"stargazers_count":4,"fetched_at":5},7,"2026-06-04T14:53:31.930Z",{"id":7,"descriptions":8,"cisa":9,"weaknesses":10,"exploits":11,"aliases":12,"duplicate_of":9,"upstream":13,"downstream":16,"duplicates":19,"related":20,"reserved_at":9,"published_at":21,"modified_at":22,"state":9,"summary":23,"references_raw":25,"kevs":32,"epss":9,"epss_history":33,"metrics":34,"affected":35},"DEBIAN-CVE-2025-40186","In the Linux kernel, the following vulnerability has been resolved:  tcp: Don't call reqsk_fastopen_remove() in tcp_conn_request().  syzbot reported the splat below in tcp_conn_request(). [0]  If a listener is close()d while a TFO socket is being processed in tcp_conn_request(), inet_csk_reqsk_queue_add() does not set reqsk->sk and calls inet_child_forget(), which calls tcp_disconnect() for the TFO socket.  After the cited commit, tcp_disconnect() calls reqsk_fastopen_remove(), where reqsk_put() is called due to !reqsk->sk.  Then, reqsk_fastopen_remove() in tcp_conn_request() decrements the last req->rsk_refcnt and frees reqsk, and __reqsk_free() at the drop_and_free label causes the refcount underflow for the listener and double-free of the reqsk.  Let's remove reqsk_fastopen_remove() in tcp_conn_request().  Note that other callers make sure tp->fastopen_rsk is not NULL.  [0]: refcount_t: underflow; use-after-free. WARNING: CPU: 12 PID: 5563 at lib/refcount.c:28 refcount_warn_saturate (lib/refcount.c:28) Modules linked in: CPU: 12 UID: 0 PID: 5563 Comm: syz-executor Not tainted syzkaller #0 PREEMPT(full) Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/12/2025 RIP: 0010:refcount_warn_saturate (lib/refcount.c:28) Code: ab e8 8e b4 98 ff 0f 0b c3 cc cc cc cc cc 80 3d a4 e4 d6 01 00 75 9c c6 05 9b e4 d6 01 01 48 c7 c7 e8 df fb ab e8 6a b4 98 ff \u003C0f> 0b e9 03 5b 76 00 cc 80 3d 7d e4 d6 01 00 0f 85 74 ff ff ff c6 RSP: 0018:ffffa79fc0304a98 EFLAGS: 00010246 RAX: d83af4db1c6b3900 RBX: ffff9f65c7a69020 RCX: d83af4db1c6b3900 RDX: 0000000000000000 RSI: 00000000ffff7fff RDI: ffffffffac78a280 RBP: 000000009d781b60 R08: 0000000000007fff R09: ffffffffac6ca280 R10: 0000000000017ffd R11: 0000000000000004 R12: ffff9f65c7b4f100 R13: ffff9f65c7d23c00 R14: ffff9f65c7d26000 R15: ffff9f65c7a64ef8 FS:  00007f9f962176c0(0000) GS:ffff9f65fcf00000(0000) knlGS:0000000000000000 CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000200000000180 CR3: 000000000dbbe006 CR4: 0000000000372ef0 Call Trace:  \u003CIRQ>  tcp_conn_request (./include/linux/refcount.h:400 ./include/linux/refcount.h:432 ./include/linux/refcount.h:450 ./include/net/sock.h:1965 ./include/net/request_sock.h:131 net/ipv4/tcp_input.c:7301)  tcp_rcv_state_process (net/ipv4/tcp_input.c:6708)  tcp_v6_do_rcv (net/ipv6/tcp_ipv6.c:1670)  tcp_v6_rcv (net/ipv6/tcp_ipv6.c:1906)  ip6_protocol_deliver_rcu (net/ipv6/ip6_input.c:438)  ip6_input (net/ipv6/ip6_input.c:500)  ipv6_rcv (net/ipv6/ip6_input.c:311)  __netif_receive_skb (net/core/dev.c:6104)  process_backlog (net/core/dev.c:6456)  __napi_poll (net/core/dev.c:7506)  net_rx_action (net/core/dev.c:7569 net/core/dev.c:7696)  handle_softirqs (kernel/softirq.c:579)  do_softirq (kernel/softirq.c:480)  \u003C/IRQ>",null,[],[],[],[14],{"_key":15},"CVE-2025-40186",[17],{"_key":18},"DLA-4379-1",[],[],"2025-11-12T22:15:45.443Z","2026-04-28T20:30:28.774264Z",{"cisa_kev":24,"cisa_ransomware":24,"cisa_vendor":9,"epss_severity":9,"epss_score":9,"severity":9,"severity_score":9,"severity_version":9,"severity_source":9,"severity_vector":9,"severity_status":9},false,[26],{"url":27,"sources":28,"tags":30},"https://security-tracker.debian.org/tracker/CVE-2025-40186",[29],"osv_debian",[31],"Advisory",[],[],[],[36,57],{"ecosystem":37,"name":38,"vendor":39,"product":38,"cpe_part":9,"purl_type":40,"purl_namespace":39,"purl_name":38,"source":9,"versions":41},"Debian","linux","debian","deb",[42,48,51,54],{"version":43,"is_range":44,"range_type":45,"version_start":9,"version_start_type":9,"version_end":46,"version_end_type":47,"fixed_in":9},"lt5_10_247_1",true,"ecosystem","5.10.247-1","excluding",{"version":49,"is_range":44,"range_type":45,"version_start":9,"version_start_type":9,"version_end":50,"version_end_type":47,"fixed_in":9},"lt6_1_158_1","6.1.158-1",{"version":52,"is_range":44,"range_type":45,"version_start":9,"version_start_type":9,"version_end":53,"version_end_type":47,"fixed_in":9},"lt6_12_57_1","6.12.57-1",{"version":55,"is_range":44,"range_type":45,"version_start":9,"version_start_type":9,"version_end":56,"version_end_type":47,"fixed_in":9},"lt6_17_6_1","6.17.6-1",{"ecosystem":37,"name":58,"vendor":39,"product":58,"cpe_part":9,"purl_type":40,"purl_namespace":39,"purl_name":58,"source":9,"versions":59},"linux-6.1",[60],{"version":61,"is_range":44,"range_type":45,"version_start":9,"version_start_type":9,"version_end":62,"version_end_type":47,"fixed_in":9},"lt6_1_158_1~deb11u1","6.1.158-1~deb11u1"]