CVE-2025-38500
published 2025-08-12CVE-2025-38500: In the Linux kernel, the following vulnerability has been resolved: xfrm: interface: fix use-after-free after changing collect_md xfrm interface collect_md…
high7.8CVSS 3.1
AVLACLPRLUINSUCHIHAH
In the Linux kernel, the following vulnerability has been resolved:
xfrm: interface: fix use-after-free after changing collect_md xfrm interface
collect_md property on xfrm interfaces can only be set on device creation,
thus xfrmi_changelink() should fail when called on such interfaces.
The check to enforce this was done only in the case where the xi was
returned from xfrmi_locate() which doesn't look for the collect_md
interface, and thus the validation was never reached.
Calling changelink would thus errornously place the special interface xi
in the xfrmi_net->xfrmi hash, but since it also exists in the
xfrmi_net->collect_md_xfrmi pointer it would lead to a double free when
the net namespace was taken down [1].
Change the check to use the xi from netdev_priv which is available earlier
in the function to prevent changes in xfrm collect_md interfaces.
[1] resulting oops:
[ 8.516540] kernel BUG at net/core/dev.c:12029!
[ 8.516552] Oops: invalid opcode: 0000 [#1] SMP NOPTI
[ 8.516559] CPU: 0 UID: 0 PID: 12 Comm: kworker/u80:0 Not tainted 6.15.0-virtme #5 PREEMPT(voluntary)
[ 8.516565] Hardware name: QEMU Ubuntu 24.04 PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[ 8.516569] Workqueue: netns cleanup_net
[ 8.516579] RIP: 0010:unregister_netdevice_many_notify+0x101/0xab0
[ 8.516590] Code: 90 0f 0b 90 48 8b b0 78 01 00 00 48 8b 90 80 01 00 00 48 89 56 08 48 89 32 4c 89 80 78 01 00 00 48 89 b8 80 01 00 00 eb ac 90 0b 48 8b 45 00 4c 8d a0 88 fe ff ff 48 39 c5 74 5c 41 80 bc 24
[ 8.516593] RSP: 0018:ffffa93b8006bd30 EFLAGS: 00010206
[ 8.516598] RAX: ffff98fe4226e000 RBX: ffffa93b8006bd58 RCX: ffffa93b8006bc60
[ 8.516601] RDX: 0000000000000004 RSI: 0000000000000000 RDI: dead000000000122
[ 8.516603] RBP: ffffa93b8006bdd8 R08: dead000000000100 R09: ffff98fe4133c100
[ 8.516605] R10: 0000000000000000 R11: 00000000000003d2 R12: ffffa93b8006be00
[ 8.516608] R13: ffffffff96c1a510 R14: ffffffff96c1a510 R15: ffffa93b8006be00
[ 8.516615] FS: 0000000000000000(00
Affected
21 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | debian_linux | — | — |
| debian | linux | < linux 6.1.148-1 (bookworm) | linux 6.1.148-1 (bookworm) |
| debian | linux-6.1 | < linux 6.1.148-1 (bookworm) | linux 6.1.148-1 (bookworm) |
| android | — | — | |
| linux | linux | — | — |
| linux | linux | >= abc340b38ba25cd6c7aa2c0bd9150d30738c82d0 < a8d4748b954584ab7bd800f1a4e46d5b0eeb5ce4 | a8d4748b954584ab7bd800f1a4e46d5b0eeb5ce4 |
| linux | linux | >= abc340b38ba25cd6c7aa2c0bd9150d30738c82d0 < bfebdb85496e1da21d3cf05de099210915c3e706 | bfebdb85496e1da21d3cf05de099210915c3e706 |
| linux | linux | >= abc340b38ba25cd6c7aa2c0bd9150d30738c82d0 < 5918c3f4800a3aef2173865e5903370f21e24f47 | 5918c3f4800a3aef2173865e5903370f21e24f47 |
| linux | linux | >= abc340b38ba25cd6c7aa2c0bd9150d30738c82d0 < 69a31f7a6a81f5ffd3812c442e09ff0be22960f1 | 69a31f7a6a81f5ffd3812c442e09ff0be22960f1 |
| linux | linux | >= abc340b38ba25cd6c7aa2c0bd9150d30738c82d0 < a90b2a1aaacbcf0f91d7e4868ad6c51c5dee814b | a90b2a1aaacbcf0f91d7e4868ad6c51c5dee814b |
| linux | linux_kernel | — | — |
| linux | linux_kernel | >= 0 < 6.1.148-1 | 6.1.148-1 |
| linux | linux_kernel | >= 0 < 6.12.41-1 | 6.12.41-1 |
| linux | linux_kernel | >= 0 < 6.16.3-1 | 6.16.3-1 |
| linux | linux_kernel | >= 0 < 6.8.0-85.85 | 6.8.0-85.85 |
| linux | linux_kernel | >= 6.1 < 6.1.148 | 6.1.148 |
| linux | linux_kernel | >= 6.13 < 6.15.9 | 6.15.9 |
| linux | linux_kernel | >= 6.2 < 6.6.101 | 6.6.101 |
| linux | linux_kernel | >= 6.7 < 6.12.41 | 6.12.41 |
| msrc | azl3_kernel_6.6.96.2-1_on_azure_linux_3.0 | — | — |
| msrc | azl3_kernel_6.6.96.2-2_on_azure_linux_3.0 | — | — |
CVSS provenance
nvdv3.17.8HIGHCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
osv7.8HIGH