CVE-2025-38476
published 2025-07-28CVE-2025-38476: In the Linux kernel, the following vulnerability has been resolved: rpl: Fix use-after-free in rpl_do_srh_inline(). Running lwt_dst_cache_ref_loop.sh in…
high7.8CVSS 3.1
AVLACLPRLUINSUCHIHAH
In the Linux kernel, the following vulnerability has been resolved:
rpl: Fix use-after-free in rpl_do_srh_inline().
Running lwt_dst_cache_ref_loop.sh in selftest with KASAN triggers
the splat below [0].
rpl_do_srh_inline() fetches ipv6_hdr(skb) and accesses it after
skb_cow_head(), which is illegal as the header could be freed then.
Let's fix it by making oldhdr to a local struct instead of a pointer.
[0]:
[root@fedora net]# ./lwt_dst_cache_ref_loop.sh
...
TEST: rpl (input)
[ 57.631529] ==================================================================
BUG: KASAN: slab-use-after-free in rpl_do_srh_inline.isra.0 (net/ipv6/rpl_iptunnel.c:174)
Read of size 40 at addr ffff888122bf96d8 by task ping6/1543
CPU: 50 UID: 0 PID: 1543 Comm: ping6 Not tainted 6.16.0-rc5-01302-gfadd1e6231b1 #23 PREEMPT(voluntary)
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
Call Trace:
dump_stack_lvl (lib/dump_stack.c:122)
print_report (mm/kasan/report.c:409 mm/kasan/report.c:521)
kasan_report (mm/kasan/report.c:221 mm/kasan/report.c:636)
kasan_check_range (mm/kasan/generic.c:175 (discriminator 1) mm/kasan/generic.c:189 (discriminator 1))
__asan_memmove (mm/kasan/shadow.c:94 (discriminator 2))
rpl_do_srh_inline.isra.0 (net/ipv6/rpl_iptunnel.c:174)
rpl_input (net/ipv6/rpl_iptunnel.c:201 net/ipv6/rpl_iptunnel.c:282)
lwtunnel_input (net/core/lwtunnel.c:459)
ipv6_rcv (./include/net/dst.h:471 (discriminator 1) ./include/net/dst.h:469 (discriminator 1) net/ipv6/ip6_input.c:79 (discriminator 1) ./include/linux/netfilter.h:317 (discriminator 1) ./include/linux/netfilter.h:311 (discriminator 1) net/ipv6/ip6_input.c:311 (discriminator 1))
__netif_receive_skb_one_core (net/core/dev.c:5967)
process_backlog (./include/linux/rcupdate.h:869 net/core/dev.c:6440)
__napi_poll.constprop.0 (net/core/dev.c:7452)
net_rx_action (net/core/dev.c:7518 net/core/dev.c:7643)
handle_softirqs (kernel/softirq.c:579)
do_softirq (kernel/softirq.c:480 (discriminator 20))
_
Affected
35 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | debian_linux | — | — |
| debian | linux | < linux 6.1.147-1 (bookworm) | linux 6.1.147-1 (bookworm) |
| debian | linux-6.1 | < linux 6.1.147-1 (bookworm) | linux 6.1.147-1 (bookworm) |
| linux | linux | — | — |
| linux | linux | >= a7a29f9c361f8542604ef959ae6627f423b7a412 < c09e21dfc08d8afb92d9ea3bee3457adbe3ef297 | c09e21dfc08d8afb92d9ea3bee3457adbe3ef297 |
| linux | linux | >= a7a29f9c361f8542604ef959ae6627f423b7a412 < 8ba6c2362b85089b8972ac5f20b24fc71a4b8ffc | 8ba6c2362b85089b8972ac5f20b24fc71a4b8ffc |
| linux | linux | >= a7a29f9c361f8542604ef959ae6627f423b7a412 < e8101506ab86dd78f823b7028f2036a380f3a12a | e8101506ab86dd78f823b7028f2036a380f3a12a |
| linux | linux | >= a7a29f9c361f8542604ef959ae6627f423b7a412 < 62dcd9d6e61c39122d2f251a26829e2e55b0a11d | 62dcd9d6e61c39122d2f251a26829e2e55b0a11d |
| linux | linux | >= a7a29f9c361f8542604ef959ae6627f423b7a412 < 06ec83b6c792fde1f710c1de3e836da6e257c4c4 | 06ec83b6c792fde1f710c1de3e836da6e257c4c4 |
| linux | linux | >= a7a29f9c361f8542604ef959ae6627f423b7a412 < 034b428aa3583373a5a20b1c5931bb2b3cae1f36 | 034b428aa3583373a5a20b1c5931bb2b3cae1f36 |
| linux | linux | >= a7a29f9c361f8542604ef959ae6627f423b7a412 < b640daa2822a39ff76e70200cb2b7b892b896dce | b640daa2822a39ff76e70200cb2b7b892b896dce |
| linux | linux_kernel | — | — |
| linux | linux_kernel | >= 0 < 5.10.244-1 | 5.10.244-1 |
| linux | linux_kernel | >= 0 < 6.1.147-1 | 6.1.147-1 |
| linux | linux_kernel | >= 0 < 6.12.41-1 | 6.12.41-1 |
| linux | linux_kernel | >= 0 < 6.16.3-1 | 6.16.3-1 |
| linux | linux_kernel | >= 0 < 5.15.0-163.173 | 5.15.0-163.173 |
| linux | linux_kernel | >= 0 < 6.8.0-100.100 | 6.8.0-100.100 |
| linux | linux_kernel | >= 5.11 < 5.15.190 | 5.15.190 |
| linux | linux_kernel | >= 5.16 < 6.1.147 | 6.1.147 |
| linux | linux_kernel | >= 5.7 < 5.10.241 | 5.10.241 |
| linux | linux_kernel | >= 6.13 < 6.15.8 | 6.15.8 |
| linux | linux_kernel | >= 6.2 < 6.6.100 | 6.6.100 |
| linux | linux_kernel | >= 6.7 < 6.12.40 | 6.12.40 |
| msrc | azl3_kernel_6.6.96.1-1_on_azure_linux_3.0 | — | — |
CVSS provenance
nvdv3.17.8HIGHCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
osv7.8HIGH