CVE-2025-38470
published 2025-07-28CVE-2025-38470: In the Linux kernel, the following vulnerability has been resolved: net: vlan: fix VLAN 0 refcount imbalance of toggling filtering during runtime Assuming the…
medium5.5CVSS 3.1
AVLACLPRLUINSUCNINAH
In the Linux kernel, the following vulnerability has been resolved:
net: vlan: fix VLAN 0 refcount imbalance of toggling filtering during runtime
Assuming the "rx-vlan-filter" feature is enabled on a net device, the
8021q module will automatically add or remove VLAN 0 when the net device
is put administratively up or down, respectively. There are a couple of
problems with the above scheme.
The first problem is a memory leak that can happen if the "rx-vlan-filter"
feature is disabled while the device is running:
# ip link add bond1 up type bond mode 0
# ethtool -K bond1 rx-vlan-filter off
# ip link del dev bond1
When the device is put administratively down the "rx-vlan-filter"
feature is disabled, so the 8021q module will not remove VLAN 0 and the
memory will be leaked [1].
Another problem that can happen is that the kernel can automatically
delete VLAN 0 when the device is put administratively down despite not
adding it when the device was put administratively up since during that
time the "rx-vlan-filter" feature was disabled. null-ptr-unref or
bug_on[2] will be triggered by unregister_vlan_dev() for refcount
imbalance if toggling filtering during runtime:
$ ip link add bond0 type bond mode 0
$ ip link add link bond0 name vlan0 type vlan id 0 protocol 802.1q
$ ethtool -K bond0 rx-vlan-filter off
$ ifconfig bond0 up
$ ethtool -K bond0 rx-vlan-filter on
$ ifconfig bond0 down
$ ip link del vlan0
Root cause is as below:
step1: add vlan0 for real_dev, such as bond, team.
register_vlan_dev
vlan_vid_add(real_dev,htons(ETH_P_8021Q),0) //refcnt=1
step2: disable vlan filter feature and enable real_dev
step3: change filter from 0 to 1
vlan_device_event
vlan_filter_push_vids
ndo_vlan_rx_add_vid //No refcnt added to real_dev vlan0
step4: real_dev down
vlan_device_event
vlan_vid_del(dev, htons(ETH_P_8021Q), 0); //refcnt=0
vlan_info_rcu_free //free vlan0
step5: delete vlan0
unregister_vlan_dev
BUG_ON(!vlan_info); //vlan_info is null
Fix both problems by noting in the VLA
Affected
45 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | debian_linux | — | — |
| debian | linux | < linux 6.1.147-1 (bookworm) | linux 6.1.147-1 (bookworm) |
| debian | linux-6.1 | < linux 6.1.147-1 (bookworm) | linux 6.1.147-1 (bookworm) |
| linux | linux | — | — |
| linux | linux | >= ad1afb00393915a51c21b1ae8704562bf036855f < ba48d3993af23753e1f1f01c8d592de9c7785f24 | ba48d3993af23753e1f1f01c8d592de9c7785f24 |
| linux | linux | >= ad1afb00393915a51c21b1ae8704562bf036855f < 35142b3816832889e50164d993018ea5810955ae | 35142b3816832889e50164d993018ea5810955ae |
| linux | linux | >= ad1afb00393915a51c21b1ae8704562bf036855f < 047b61a24d7c866c502aeeea482892969a68f216 | 047b61a24d7c866c502aeeea482892969a68f216 |
| linux | linux | >= ad1afb00393915a51c21b1ae8704562bf036855f < d43ef15bf4856c8c4c6c3572922331a5f06deb77 | d43ef15bf4856c8c4c6c3572922331a5f06deb77 |
| linux | linux | >= ad1afb00393915a51c21b1ae8704562bf036855f < bb515c41306454937464da055609b5fb0a27821b | bb515c41306454937464da055609b5fb0a27821b |
| linux | linux | >= ad1afb00393915a51c21b1ae8704562bf036855f < 8984bcbd1edf5bee5be06ad771d157333b790c33 | 8984bcbd1edf5bee5be06ad771d157333b790c33 |
| linux | linux | >= ad1afb00393915a51c21b1ae8704562bf036855f < 93715aa2d80e6c5cea1bb486321fc4585076928b | 93715aa2d80e6c5cea1bb486321fc4585076928b |
| linux | linux | >= ad1afb00393915a51c21b1ae8704562bf036855f < 579d4f9ca9a9a605184a9b162355f6ba131f678d | 579d4f9ca9a9a605184a9b162355f6ba131f678d |
| linux | linux_kernel | — | — |
| linux | linux_kernel | >= 0 < 5.10.244-1 | 5.10.244-1 |
| linux | linux_kernel | >= 0 < 6.1.147-1 | 6.1.147-1 |
| linux | linux_kernel | >= 0 < 6.12.41-1 | 6.12.41-1 |
| linux | linux_kernel | >= 0 < 6.16.3-1 | 6.16.3-1 |
| linux | linux_kernel | >= 0 < 5.15.0-163.173 | 5.15.0-163.173 |
| linux | linux_kernel | >= 0 < 6.8.0-100.100 | 6.8.0-100.100 |
| linux | linux_kernel | >= 2.6.36 < 5.4.297 | 5.4.297 |
| linux | linux_kernel | >= 5.11 < 5.15.190 | 5.15.190 |
| linux | linux_kernel | >= 5.16 < 6.1.147 | 6.1.147 |
| linux | linux_kernel | >= 5.5 < 5.10.241 | 5.10.241 |
| linux | linux_kernel | >= 6.13 < 6.15.8 | 6.15.8 |
| linux | linux_kernel | >= 6.2 < 6.6.100 | 6.6.100 |
CVSS provenance
nvdv3.15.5MEDIUMCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
osv5.5MEDIUM