CVE-2025-39848
published 2025-09-19CVE-2025-39848: In the Linux kernel, the following vulnerability has been resolved: ax25: properly unshare skbs in ax25_kiss_rcv() Bernard Pidoux reported a regression…
medium5.5CVSS 3.1
AVLACLPRLUINSUCNINAH
In the Linux kernel, the following vulnerability has been resolved:
ax25: properly unshare skbs in ax25_kiss_rcv()
Bernard Pidoux reported a regression apparently caused by commit
c353e8983e0d ("net: introduce per netns packet chains").
skb->dev becomes NULL and we crash in __netif_receive_skb_core().
Before above commit, different kind of bugs or corruptions could happen
without a major crash.
But the root cause is that ax25_kiss_rcv() can queue/mangle input skb
without checking if this skb is shared or not.
Many thanks to Bernard Pidoux for his help, diagnosis and tests.
We had a similar issue years ago fixed with commit 7aaed57c5c28
("phonet: properly unshare skbs in phonet_rcv()").
Affected
31 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | debian_linux | — | — |
| debian | linux | < linux 6.1.153-1 (bookworm) | linux 6.1.153-1 (bookworm) |
| debian | linux-6.1 | < linux 6.1.153-1 (bookworm) | linux 6.1.153-1 (bookworm) |
| linux | linux | — | — |
| linux | linux | >= 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 < 42b46684e2c78ee052d8c2ee8d9c2089233c9094 | 42b46684e2c78ee052d8c2ee8d9c2089233c9094 |
| linux | linux | >= 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 < 5b079be1b9da49ad88fc304c874d4be7085f7883 | 5b079be1b9da49ad88fc304c874d4be7085f7883 |
| linux | linux | >= 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 < 2bd0f67212908243ce88e35bf69fa77155b47b14 | 2bd0f67212908243ce88e35bf69fa77155b47b14 |
| linux | linux | >= 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 < 01a2984cb803f2d487b7074f9718db2bf3531f69 | 01a2984cb803f2d487b7074f9718db2bf3531f69 |
| linux | linux | >= 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 < 7d449b7a6c8ee434d10a483feed7c5c50108cf56 | 7d449b7a6c8ee434d10a483feed7c5c50108cf56 |
| linux | linux | >= 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 < 89064cf534bea4bb28c83fe6bbb26657b19dd5fe | 89064cf534bea4bb28c83fe6bbb26657b19dd5fe |
| linux | linux | >= 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 < b1c71d674a308d2fbc83efcf88bfc4217a86aa17 | b1c71d674a308d2fbc83efcf88bfc4217a86aa17 |
| linux | linux | >= 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 < 8156210d36a43e76372312c87eb5ea3dbb405a85 | 8156210d36a43e76372312c87eb5ea3dbb405a85 |
| linux | linux_kernel | — | — |
| linux | linux_kernel | — | — |
| linux | linux_kernel | >= 0 < 5.10.244-1 | 5.10.244-1 |
| linux | linux_kernel | >= 0 < 6.1.153-1 | 6.1.153-1 |
| linux | linux_kernel | >= 0 < 6.12.48-1 | 6.12.48-1 |
| linux | linux_kernel | >= 0 < 6.16.6-1 | 6.16.6-1 |
| linux | linux_kernel | >= 0 < 5.15.0-163.173 | 5.15.0-163.173 |
| linux | linux_kernel | >= 0 < 6.8.0-106.106 | 6.8.0-106.106 |
| linux | linux_kernel | >= 2.6.12.1 < 5.4.299 | 5.4.299 |
| linux | linux_kernel | >= 5.11 < 5.15.192 | 5.15.192 |
| linux | linux_kernel | >= 5.16 < 6.1.151 | 6.1.151 |
| linux | linux_kernel | >= 5.5 < 5.10.243 | 5.10.243 |
| linux | linux_kernel | >= 6.13 < 6.16.6 | 6.16.6 |
CVSS provenance
nvdv3.15.5MEDIUMCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
osv5.5MEDIUM