CVE-2025-38019

The driver only offloads neighbors that are constructed on top of net devices registered by it or their uppers (which are all Ethernet). The device supports GRE encapsulation and decapsulation of forwarded traffic, but the driver will not offload dummy neighbors constructed on top of GRE net devices as they are not uppers of its net devices:

# ip link add name gre1 up type gre tos inherit local 192.0.2.1 remote 198.51.100.1 # ip neigh add 0.0.0.0 lladdr 0.0.0.0 nud noarp dev gre1 $ ip neigh show dev gre1 nud noarp 0.0.0.0 lladdr 0.0.0.0 NOARP

(Note that the neighbor is not marked with 'offload')

When the driver is reloaded and the existing configuration is replayed, the driver does not perform the same check regarding existing neighbors and offloads the previously added one:

# devlink dev reload pci/0000:01:00.0 $ ip neigh show dev gre1 nud noarp 0.0.0.0 lladdr 0.0.0.0 offload NOARP

If the neighbor is later deleted, the driver will ignore the notification (given the GRE net device is not its upper) and will therefore keep referencing freed memory, resulting in a use-after-free [1] when the net device is deleted:

# ip neigh del 0.0.0.0 lladdr 0.0.0.0 dev gre1 # ip link del dev gre1

Fix by skipping neighbor replay if the net device for which the replay is performed is not our upper.

[1] BUG: KASAN: slab-use-after-free in mlxswspneighentryupdate+0x1ea/0x200 Read of size 8 at addr ffff888155b0e420 by task ip/2282 [...] Call Trace: <TASK> dumpstacklvl+0x6f/0xa0 printaddressdescription.constprop.0+0x6f/0x350 printreport+0x108/0x205 kasanreport+0xdf/0x110 mlxswspneighentryupdate+0x1ea/0x200 mlxswsprouterrifgonesync+0x2a8/0x440 mlxswsprifdestroy+0x1e9/0x750 mlxswspnetdeviceipipolevent+0x3c9/0xdc0 mlxswsprouternetdeviceevent+0x3ac/0x15e0 notifiercallchain+0xca/0x150 callnetdevicenotifiersinfo+0x7f/0x100 unregisternetdevicemanynotify+0xc8c/0x1d90 rtnldellink+0x34e/0xa50 rtnetlinkrcvmsg+0x6fb/0xb70 netlinkrcvskb+0x131/0x360 netlinkunicast+0x426/0x710 netlinksendmsg+0x75a/0xc20 socksendmsg+0xc1/0x150 _syssendmsg+0x5aa/0x7b0 _syssendmsg+0xfc/0x180 _syssendmsg+0x121/0x1b0 dosyscall64+0xbb/0x1d0 entrySYSCALL64afterhwframe+0x4b/0x53

References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type: GIT
Repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events: Introduced

8fdb09a7674c61c4f0e5faf0d63b3ce500a341b0

Fixed

f1ecccb5cdda39bca8cd17bb0b6cf61361e33578

Type: GIT
Repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events: Introduced

8fdb09a7674c61c4f0e5faf0d63b3ce500a341b0

Fixed

abc43c1ffdbc801b0b04ac845bfaf1d42b8f68f7

Type: GIT
Repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events: Introduced

8fdb09a7674c61c4f0e5faf0d63b3ce500a341b0

Fixed

9ab7945f3a61ed23da412e30f1e56414c05c4f06

Type: GIT
Repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events: Introduced

8fdb09a7674c61c4f0e5faf0d63b3ce500a341b0

Fixed

92ec4855034b2c4d13f117558dc73d20581fa9ff

Affected versions

v6.*

v6.10

v6.10-rc1

v6.10-rc2

v6.10-rc3

v6.10-rc4

v6.10-rc5

v6.10-rc6

v6.10-rc7

v6.11

v6.11-rc1

v6.11-rc2

v6.11-rc3

v6.11-rc4

v6.11-rc5

v6.11-rc6

v6.11-rc7

v6.12

v6.12-rc1

v6.12-rc2

v6.12-rc3

v6.12-rc4

v6.12-rc5

v6.12-rc6

v6.12-rc7

v6.12.1

v6.12.10

v6.12.11

v6.12.12

v6.12.13

v6.12.14

v6.12.15

v6.12.16

v6.12.17

v6.12.18

v6.12.19

v6.12.2

v6.12.20

v6.12.21

v6.12.22

v6.12.23

v6.12.24

v6.12.25

v6.12.26

v6.12.27

v6.12.28

v6.12.29

v6.12.3

v6.12.4

v6.12.5

v6.12.6

v6.12.7

v6.12.8

v6.12.9

v6.13

v6.13-rc1

v6.13-rc2

v6.13-rc3

v6.13-rc4

v6.13-rc5

v6.13-rc6

v6.13-rc7

v6.14

v6.14-rc1

v6.14-rc2

v6.14-rc3

v6.14-rc4

v6.14-rc5

v6.14-rc6

v6.14-rc7

v6.14.1

v6.14.2

v6.14.3

v6.14.4

v6.14.5

v6.14.6

v6.14.7

v6.15-rc1

v6.15-rc2

v6.15-rc3

v6.15-rc4

v6.15-rc5

v6.5

v6.5-rc3

v6.5-rc4

v6.5-rc5

v6.5-rc6

v6.5-rc7

v6.6

v6.6-rc1

v6.6-rc2

v6.6-rc3

v6.6-rc4

v6.6-rc5

v6.6-rc6

v6.6-rc7

v6.6.1

v6.6.10

v6.6.11

v6.6.12

v6.6.13

v6.6.14

v6.6.15

v6.6.16

v6.6.17

v6.6.18

v6.6.19

v6.6.2

v6.6.20

v6.6.21

v6.6.22

v6.6.23

v6.6.24

v6.6.25

v6.6.26

v6.6.27

v6.6.28

v6.6.29

v6.6.3

v6.6.30

v6.6.31

v6.6.32

v6.6.33

v6.6.34

v6.6.35

v6.6.36

v6.6.37

v6.6.38

v6.6.39

v6.6.4

v6.6.40

v6.6.41

v6.6.42

v6.6.43

v6.6.44

v6.6.45

v6.6.46

v6.6.47

v6.6.48

v6.6.49

v6.6.5

v6.6.50

v6.6.51

v6.6.52

v6.6.53

v6.6.54

v6.6.55

v6.6.56

v6.6.57

v6.6.58

v6.6.59

v6.6.6

v6.6.60

v6.6.61

v6.6.62

v6.6.63

v6.6.64

v6.6.65

v6.6.66

v6.6.67

v6.6.68

v6.6.69

v6.6.7

v6.6.70

v6.6.71

v6.6.72

v6.6.73

v6.6.74

v6.6.75

v6.6.76

v6.6.77

v6.6.78

v6.6.79

v6.6.8

v6.6.80

v6.6.81

v6.6.82

v6.6.83

v6.6.84

v6.6.85

v6.6.86

v6.6.87

v6.6.88

v6.6.89

v6.6.9

v6.6.90

v6.6.91

v6.7

v6.7-rc1

v6.7-rc2

v6.7-rc3

v6.7-rc4

v6.7-rc5

v6.7-rc6

v6.7-rc7

v6.7-rc8

v6.8

v6.8-rc1

v6.8-rc2

v6.8-rc3

v6.8-rc4

v6.8-rc5

v6.8-rc6

v6.8-rc7

v6.9

v6.9-rc1

v6.9-rc2

v6.9-rc3

v6.9-rc4

v6.9-rc5

v6.9-rc6

v6.9-rc7

Database specific

vanir_signatures

[
    {
        "signature_type": "Line",
        "id": "CVE-2025-38019-1aac3a92",
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@abc43c1ffdbc801b0b04ac845bfaf1d42b8f68f7",
        "signature_version": "v1",
        "target": {
            "file": "drivers/net/ethernet/mellanox/mlxsw/spectrum_router.c"
        },
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "70207442509448012768006745640469071478",
                "31175578294697023466718335279650678696",
                "172540691416265567449525246169298296749"
            ]
        },
        "deprecated": false
    },
    {
        "signature_type": "Function",
        "id": "CVE-2025-38019-2ba7c07f",
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@f1ecccb5cdda39bca8cd17bb0b6cf61361e33578",
        "signature_version": "v1",
        "target": {
            "function": "mlxsw_sp_neigh_rif_made_sync",
            "file": "drivers/net/ethernet/mellanox/mlxsw/spectrum_router.c"
        },
        "digest": {
            "function_hash": "253628977149435525021177765712690803499",
            "length": 428.0
        },
        "deprecated": false
    },
    {
        "signature_type": "Line",
        "id": "CVE-2025-38019-4cc0db94",
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@9ab7945f3a61ed23da412e30f1e56414c05c4f06",
        "signature_version": "v1",
        "target": {
            "file": "drivers/net/ethernet/mellanox/mlxsw/spectrum_router.c"
        },
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "70207442509448012768006745640469071478",
                "31175578294697023466718335279650678696",
                "172540691416265567449525246169298296749"
            ]
        },
        "deprecated": false
    },
    {
        "signature_type": "Function",
        "id": "CVE-2025-38019-61dc665e",
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@9ab7945f3a61ed23da412e30f1e56414c05c4f06",
        "signature_version": "v1",
        "target": {
            "function": "mlxsw_sp_neigh_rif_made_sync",
            "file": "drivers/net/ethernet/mellanox/mlxsw/spectrum_router.c"
        },
        "digest": {
            "function_hash": "253628977149435525021177765712690803499",
            "length": 428.0
        },
        "deprecated": false
    },
    {
        "signature_type": "Line",
        "id": "CVE-2025-38019-775fa551",
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@92ec4855034b2c4d13f117558dc73d20581fa9ff",
        "signature_version": "v1",
        "target": {
            "file": "drivers/net/ethernet/mellanox/mlxsw/spectrum_router.c"
        },
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "70207442509448012768006745640469071478",
                "31175578294697023466718335279650678696",
                "172540691416265567449525246169298296749"
            ]
        },
        "deprecated": false
    },
    {
        "signature_type": "Function",
        "id": "CVE-2025-38019-a06380c8",
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@abc43c1ffdbc801b0b04ac845bfaf1d42b8f68f7",
        "signature_version": "v1",
        "target": {
            "function": "mlxsw_sp_neigh_rif_made_sync",
            "file": "drivers/net/ethernet/mellanox/mlxsw/spectrum_router.c"
        },
        "digest": {
            "function_hash": "253628977149435525021177765712690803499",
            "length": 428.0
        },
        "deprecated": false
    },
    {
        "signature_type": "Function",
        "id": "CVE-2025-38019-caa1a7a3",
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@92ec4855034b2c4d13f117558dc73d20581fa9ff",
        "signature_version": "v1",
        "target": {
            "function": "mlxsw_sp_neigh_rif_made_sync",
            "file": "drivers/net/ethernet/mellanox/mlxsw/spectrum_router.c"
        },
        "digest": {
            "function_hash": "253628977149435525021177765712690803499",
            "length": 428.0
        },
        "deprecated": false
    },
    {
        "signature_type": "Line",
        "id": "CVE-2025-38019-e4722efc",
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@f1ecccb5cdda39bca8cd17bb0b6cf61361e33578",
        "signature_version": "v1",
        "target": {
            "file": "drivers/net/ethernet/mellanox/mlxsw/spectrum_router.c"
        },
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "70207442509448012768006745640469071478",
                "31175578294697023466718335279650678696",
                "172540691416265567449525246169298296749"
            ]
        },
        "deprecated": false
    }
]

Linux / Kernel

Package

Name: Kernel

Affected ranges

Type: ECOSYSTEM
Events: Introduced

6.6.0

Fixed

6.6.92

Type: ECOSYSTEM
Events: Introduced

6.7.0

Fixed

6.12.30

Type: ECOSYSTEM
Events: Introduced

6.13.0

Fixed

6.14.8