CVE-2025-39873
published 2025-09-23CVE-2025-39873: In the Linux kernel, the following vulnerability has been resolved: can: xilinx_can: xcan_write_frame(): fix use-after-free of transmitted SKB…
high7.8CVSS 3.1
AVLACLPRLUINSUCHIHAH
In the Linux kernel, the following vulnerability has been resolved:
can: xilinx_can: xcan_write_frame(): fix use-after-free of transmitted SKB
can_put_echo_skb() takes ownership of the SKB and it may be freed
during or after the call.
However, xilinx_can xcan_write_frame() keeps using SKB after the call.
Fix that by only calling can_put_echo_skb() after the code is done
touching the SKB.
The tx_lock is held for the entire xcan_write_frame() execution and
also on the can_get_echo_skb() side so the order of operations does not
matter.
An earlier fix commit 3d3c817c3a40 ("can: xilinx_can: Fix usage of skb
memory") did not move the can_put_echo_skb() call far enough.
[mkl: add "commit" in front of sha1 in patch description]
[mkl: fix indention]
Affected
27 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | debian_linux | — | — |
| debian | linux | < linux 6.1.153-1 (bookworm) | linux 6.1.153-1 (bookworm) |
| debian | linux-6.1 | < linux 6.1.153-1 (bookworm) | linux 6.1.153-1 (bookworm) |
| linux | linux | — | — |
| linux | linux | >= 1598efe57b3e768056e4ca56cb9cf33111e68d1c < e202ffd9e54538ef67ec301ebd6d9da4823466c9 | e202ffd9e54538ef67ec301ebd6d9da4823466c9 |
| linux | linux | >= 1598efe57b3e768056e4ca56cb9cf33111e68d1c < 1139321161a3ba5e45e61e0738b37f42f20bc57a | 1139321161a3ba5e45e61e0738b37f42f20bc57a |
| linux | linux | >= 1598efe57b3e768056e4ca56cb9cf33111e68d1c < 94b050726288a56a6b8ff55aa641f2fedbd3b44c | 94b050726288a56a6b8ff55aa641f2fedbd3b44c |
| linux | linux | >= 1598efe57b3e768056e4ca56cb9cf33111e68d1c < 725b33deebd6e4c96fe7893f384510a54258f28f | 725b33deebd6e4c96fe7893f384510a54258f28f |
| linux | linux | >= 1598efe57b3e768056e4ca56cb9cf33111e68d1c < 668cc1e3bb21101d074e430de1b7ba8fd10189e7 | 668cc1e3bb21101d074e430de1b7ba8fd10189e7 |
| linux | linux | >= 1598efe57b3e768056e4ca56cb9cf33111e68d1c < ef79f00be72bd81d2e1e6f060d83cf7e425deee4 | ef79f00be72bd81d2e1e6f060d83cf7e425deee4 |
| linux | linux_kernel | — | — |
| linux | linux_kernel | >= 0 < 6.1.153-1 | 6.1.153-1 |
| linux | linux_kernel | >= 0 < 6.12.48-1 | 6.12.48-1 |
| linux | linux_kernel | >= 0 < 6.16.8-1 | 6.16.8-1 |
| linux | linux_kernel | >= 0 < 5.15.0-170.180 | 5.15.0-170.180 |
| linux | linux_kernel | >= 0 < 6.8.0-106.106 | 6.8.0-106.106 |
| linux | linux_kernel | >= 4.19 < 5.15.194 | 5.15.194 |
| linux | linux_kernel | >= 5.16 < 6.1.153 | 6.1.153 |
| linux | linux_kernel | >= 6.13 < 6.16.8 | 6.16.8 |
| linux | linux_kernel | >= 6.2 < 6.6.107 | 6.6.107 |
| linux | linux_kernel | >= 6.7 < 6.12.48 | 6.12.48 |
| msrc | azl3_kernel_6.6.104.2-4_on_azure_linux_3.0 | — | — |
| msrc | azl3_kernel_6.6.96.2-2_on_azure_linux_3.0 | — | — |
| ubuntu | linux-azure-5.15 | — | — |
| ubuntu | linux-intel-iotg-5.15 | — | — |
CVSS provenance
nvdv3.17.8HIGHCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
osv7.8HIGH