In the Linux kernel, the following vulnerability has been resolved:
ibmvnic: Don't reference skb after sending to VIOS
Previously, after successfully flushing the xmit buffer to VIOS, the tx_bytes stat was incremented by the length of the skb.
It is invalid to access the skb memory after sending the buffer to the VIOS because, at any point after sending, the VIOS can trigger an interrupt to free this memory. A race between reading skb->len and freeing the skb is possible (especially during LPM) and will result in use-after-free: ================================================================== BUG: KASAN: slab-use-after-free in ibmvnicxmit+0x75c/0x1808 [ibmvnic] Read of size 4 at addr c00000024eb48a70 by task hxecom/14495 <...> Call Trace: [c000000118f66cf0] [c0000000018cba6c] dumpstacklvl+0x84/0xe8 (unreliable) [c000000118f66d20] [c0000000006f0080] printreport+0x1a8/0x7f0 [c000000118f66df0] [c0000000006f08f0] kasanreport+0x128/0x1f8 [c000000118f66f00] [c0000000006f2868] _asanload4+0xac/0xe0 [c000000118f66f20] [c0080000046eac84] ibmvnicxmit+0x75c/0x1808 [ibmvnic] [c000000118f67340] [c0000000014be168] devhardstartxmit+0x150/0x358 <...> Freed by task 0: kasansavestack+0x34/0x68 kasansavetrack+0x2c/0x50 kasansavefreeinfo+0x64/0x108 _kasanmempoolpoisonobject+0x148/0x2d4 napiskbcacheput+0x5c/0x194 nettxaction+0x154/0x5b8 handlesoftirqs+0x20c/0x60c dosoftirqown_stack+0x6c/0x88 <...> The buggy address belongs to the object at c00000024eb48a00 which
[
    {
        "id": "CVE-2025-21855-1d55762b",
        "deprecated": false,
        "signature_version": "v1",
        "signature_type": "Function",
        "digest": {
            "function_hash": "161580099312207872924149677114732190131",
            "length": 5478.0
        },
        "target": {
            "file": "drivers/net/ethernet/ibm/ibmvnic.c",
            "function": "ibmvnic_xmit"
        },
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@093b0e5c90592773863f300b908b741622eef597"
    },
    {
        "id": "CVE-2025-21855-512cb638",
        "deprecated": false,
        "signature_version": "v1",
        "signature_type": "Line",
        "digest": {
            "line_hashes": [
                "62419228631582302934731875261925874100",
                "183044330138868472668968276696502143067",
                "120769350891403543134669720292820136861",
                "138515996635132886680472454909157042134",
                "74675320161857650464080687917083279046",
                "219546345471408189012030739186555817988",
                "265375100981949065271819332262506714438",
                "59890434806717727557931736993275335384",
                "204740655867637425637591540196416197203",
                "282818100428220733598704013507565421774",
                "180372565737519223876576338194238638618",
                "309905996041050316402288707560571655408"
            ],
            "threshold": 0.9
        },
        "target": {
            "file": "drivers/net/ethernet/ibm/ibmvnic.c"
        },
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@25dddd01dcc8ef3acff964dbb32eeb0d89f098e9"
    },
    {
        "id": "CVE-2025-21855-540717bd",
        "deprecated": false,
        "signature_version": "v1",
        "signature_type": "Function",
        "digest": {
            "function_hash": "49307806427326895512981210448802978507",
            "length": 5686.0
        },
        "target": {
            "file": "drivers/net/ethernet/ibm/ibmvnic.c",
            "function": "ibmvnic_xmit"
        },
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@25dddd01dcc8ef3acff964dbb32eeb0d89f098e9"
    },
    {
        "id": "CVE-2025-21855-5e296b02",
        "deprecated": false,
        "signature_version": "v1",
        "signature_type": "Line",
        "digest": {
            "line_hashes": [
                "62419228631582302934731875261925874100",
                "183044330138868472668968276696502143067",
                "120769350891403543134669720292820136861",
                "138515996635132886680472454909157042134",
                "74675320161857650464080687917083279046",
                "219546345471408189012030739186555817988",
                "265375100981949065271819332262506714438",
                "59890434806717727557931736993275335384",
                "204740655867637425637591540196416197203",
                "282818100428220733598704013507565421774",
                "180372565737519223876576338194238638618",
                "309905996041050316402288707560571655408"
            ],
            "threshold": 0.9
        },
        "target": {
            "file": "drivers/net/ethernet/ibm/ibmvnic.c"
        },
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@abaff2717470e4b5b7c0c3a90e128b211a23da09"
    },
    {
        "id": "CVE-2025-21855-66085c09",
        "deprecated": false,
        "signature_version": "v1",
        "signature_type": "Line",
        "digest": {
            "line_hashes": [
                "62419228631582302934731875261925874100",
                "183044330138868472668968276696502143067",
                "120769350891403543134669720292820136861",
                "106532286691275625663316069309822746488",
                "74675320161857650464080687917083279046",
                "219546345471408189012030739186555817988",
                "265375100981949065271819332262506714438",
                "59890434806717727557931736993275335384",
                "204740655867637425637591540196416197203",
                "282818100428220733598704013507565421774",
                "180372565737519223876576338194238638618",
                "309905996041050316402288707560571655408"
            ],
            "threshold": 0.9
        },
        "target": {
            "file": "drivers/net/ethernet/ibm/ibmvnic.c"
        },
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@093b0e5c90592773863f300b908b741622eef597"
    },
    {
        "id": "CVE-2025-21855-776db4da",
        "deprecated": false,
        "signature_version": "v1",
        "signature_type": "Line",
        "digest": {
            "line_hashes": [
                "62419228631582302934731875261925874100",
                "183044330138868472668968276696502143067",
                "120769350891403543134669720292820136861",
                "138515996635132886680472454909157042134",
                "74675320161857650464080687917083279046",
                "219546345471408189012030739186555817988",
                "265375100981949065271819332262506714438",
                "59890434806717727557931736993275335384",
                "204740655867637425637591540196416197203",
                "282818100428220733598704013507565421774",
                "180372565737519223876576338194238638618",
                "309905996041050316402288707560571655408"
            ],
            "threshold": 0.9
        },
        "target": {
            "file": "drivers/net/ethernet/ibm/ibmvnic.c"
        },
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@bdf5d13aa05ec314d4385b31ac974d6c7e0997c9"
    },
    {
        "id": "CVE-2025-21855-83faf7f7",
        "deprecated": false,
        "signature_version": "v1",
        "signature_type": "Function",
        "digest": {
            "function_hash": "161580099312207872924149677114732190131",
            "length": 5478.0
        },
        "target": {
            "file": "drivers/net/ethernet/ibm/ibmvnic.c",
            "function": "ibmvnic_xmit"
        },
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@501ac6a7e21b82e05207c6b4449812d82820f306"
    },
    {
        "id": "CVE-2025-21855-c3ddde5a",
        "deprecated": false,
        "signature_version": "v1",
        "signature_type": "Function",
        "digest": {
            "function_hash": "49307806427326895512981210448802978507",
            "length": 5686.0
        },
        "target": {
            "file": "drivers/net/ethernet/ibm/ibmvnic.c",
            "function": "ibmvnic_xmit"
        },
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@bdf5d13aa05ec314d4385b31ac974d6c7e0997c9"
    },
    {
        "id": "CVE-2025-21855-c7807bbc",
        "deprecated": false,
        "signature_version": "v1",
        "signature_type": "Line",
        "digest": {
            "line_hashes": [
                "62419228631582302934731875261925874100",
                "183044330138868472668968276696502143067",
                "120769350891403543134669720292820136861",
                "106532286691275625663316069309822746488",
                "74675320161857650464080687917083279046",
                "219546345471408189012030739186555817988",
                "265375100981949065271819332262506714438",
                "59890434806717727557931736993275335384",
                "204740655867637425637591540196416197203",
                "282818100428220733598704013507565421774",
                "180372565737519223876576338194238638618",
                "309905996041050316402288707560571655408"
            ],
            "threshold": 0.9
        },
        "target": {
            "file": "drivers/net/ethernet/ibm/ibmvnic.c"
        },
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@501ac6a7e21b82e05207c6b4449812d82820f306"
    },
    {
        "id": "CVE-2025-21855-f88a7984",
        "deprecated": false,
        "signature_version": "v1",
        "signature_type": "Function",
        "digest": {
            "function_hash": "49307806427326895512981210448802978507",
            "length": 5686.0
        },
        "target": {
            "file": "drivers/net/ethernet/ibm/ibmvnic.c",
            "function": "ibmvnic_xmit"
        },
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@abaff2717470e4b5b7c0c3a90e128b211a23da09"
    }
]