CVE-2025-22077: Revert "smb: client: fix TCP timers deadlock after rmmod"
In the Linux kernel, the following vulnerability has been resolved:
Revert "smb: client: fix TCP timers deadlock after rmmod"
This reverts commit e9f2517a3e18a54a3943c098d2226b245d488801.
Commit e9f2517a3e18 ("smb: client: fix TCP timers deadlock after
rmmod") is intended to fix a null-ptr-deref in LOCKDEP, which is
mentioned as CVE-2024-54680, but is actually did not fix anything;
The issue can be reproduced on top of it. [0]
Also, it reverted the change by commit ef7134c7fc48 ("smb: client:
Fix use-after-free of network namespace.") and introduced a real
issue by reviving the kernel TCP socket.
When a reconnect happens for a CIFS connection, the socket state
transitions to FIN_WAIT_1. Then, inet_csk_clear_xmit_timers_sync()
in tcp_close() stops all timers for the socket.
If an incoming FIN packet is lost, the socket will stay at FIN_WAIT_1
forever, and such sockets could be leaked up to net.ipv4.tcp_max_orphans.
Usually, FIN can be retransmitted by the peer, but if the peer aborts
the connection, the issue comes into reality.
I warned about this privately by pointing out the exact report [1],
but the bogus fix was finally merged.
So, we should not stop the timers to finally kill the connection on
our side in that case, meaning we must not use a kernel socket for
TCP whose sk->sk_net_refcnt is 0.
The kernel socket does not have a reference to its netns to make it
possible to tear down netns without cleaning up every resource in it.
For example, tunnel devices use a UDP socket internally, but we can
destroy netns without removing such devices and let it complete
during exit. Otherwise, netns would be leaked when the last application
died.
However, this is problematic for TCP sockets because TCP has timers to
close the connection gracefully even after the socket is close()d. The
lifetime of the socket and its netns is different from the lifetime of
the underlying connection.
If the socket user does not maintain the netns lifetime, the timer could
be fired after the socket is close()d and its netns is freed up, resulting
in use-after-free.
Actually, we have seen so many similar issues and converted such sockets
to have a reference to netns.
That's why I converted the CIFS client socket to have a reference to
netns (sk->sk_net_refcnt == 1), which is somehow mentioned as out-of-scope
of CIFS and technically wrong in e9f2517a3e18, but **is in-scope and right
fix**.
Regarding the LOCKDEP issue, we can prevent the module unload by
bumping the module refcount when switching the LOCKDDEP key in
sock_lock_init_class_and_name(). [2]
For a while, let's revert the bogus fix.
Note that now we can use sk_net_refcnt_upgrade() for the socket
conversion, but I'll do so later separately to make backport easy.
Security readout for executives and security teams
Plain-English summary
This Linux kernel issue affects the SMB/CIFS client’s handling of TCP sockets during reconnect and teardown. A prior fix was reverted because it did not solve the reported problem and could leave connections or namespace references in unsafe states. Business risk depends on whether systems mount SMB shares using affected kernels.
Executive priority
Treat as a targeted kernel maintenance item, not an emergency internet-wide event based on current evidence. Prioritize SMB-dependent Linux systems and platforms where kernel updates are operationally difficult.
Technical view
The vulnerable path involves CIFS client TCP sockets, FIN_WAIT_1 teardown, stopped timers, and network namespace lifetime. The source says the earlier change could leak sockets up to tcp_max_orphans and revive a use-after-free risk after netns teardown. Stable kernel commits are referenced as the resolution path.
Likely exposure
Exposure is most plausible on Linux systems running affected kernel versions with SMB/CIFS client usage. The provided data identifies Linux kernel versions and commits but does not provide distribution package mappings or default configuration details.
Exploitation context
No active exploitation is stated. KEV is false, and the source bundle does not cite public exploitation. The described trigger depends on SMB client reconnect or teardown behavior and TCP connection state handling, not a generic web-facing service.
Researcher notes
The source links this CVE to a revert of e9f2517a3e18 and restoration of safer netns lifetime handling. Evidence is strong for root cause direction but incomplete for exploitability, attacker prerequisites, CVSS, and distribution-specific affected packages.
Mitigation direction
Check vendor kernel advisories for CVE-2025-22077 package status.
Prioritize updates on systems using SMB/CIFS mounts.
Move to a kernel containing the referenced stable fixes.
Review SMB client dependency on exposed or untrusted network paths.
Monitor for abnormal orphaned TCP sockets on affected hosts.
Validation and detection
Inventory Linux kernel versions across servers and endpoints.
Identify systems using CIFS or SMB client mounts.
Compare kernels against vendor-fixed releases or referenced commits.
Check whether affected hosts show persistent FIN_WAIT_1 sockets.
Confirm remediation through vendor package metadata after update.
Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.
Potential ATT&CK relevance
Conservative CVE-to-ATT&CK context
These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.
ATT&CK lookup starting points
Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.
cve · low confidence lookup
CVE-2025-22077 mapping review
Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.
These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.
0CVSS vectors
3Timeline events
0ADP providers
5Source links
Vulnerability timeline
Timeline events are normalized from CVE metadata, CNA source timelines, ADP timelines, and KEV metadata when present.
CVE reservedCVE Program
The CVE ID was reserved by the assigning CNA.
CVE publishedCVE Program
The CVE record was published.
Apr 16, 2025, 14:12 UTC (UTC+00:00)
CVE updatedCVE Program
The CVE record metadata indicates this as the latest update time.