In the Linux kernel, the following vulnerability has been resolved:
ipv6: Fix memleak of nhcpcpurthoutput in fibchecknhv6_gw().
fibchecknhv6gw() expects that fib6nhinit() cleans up everything when it fails.
Commit 7dd73168e273 ("ipv6: Always allocate pcpu memory in a fib6nh") moved fibnhcommoninit() before allocpercpugfp() within fib6nhinit() but forgot to add cleanup for fib6nh->nhcommon.nhcpcpurthoutput in case it fails to allocate fib6nh->rt6i_pcpu, resulting in memleak.
Let's call fibnhcommonrelease() and clear nhcpcpurthoutput in the error path.
Note that we can remove the fib6nhrelease() call in nhcreateipv6() later in net-next.git.
[ { "signature_version": "v1", "id": "CVE-2025-22005-20b8e976", "target": { "file": "net/ipv6/route.c", "function": "fib6_nh_init" }, "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@119dcafe36795a15ae53351cbbd6177aaf94ffef", "digest": { "function_hash": "218265568875545901204531635836024715719", "length": 2471.0 }, "signature_type": "Function", "deprecated": false }, { "signature_version": "v1", "id": "CVE-2025-22005-49ffd2cc", "target": { "file": "net/ipv6/route.c", "function": "fib6_nh_init" }, "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@77c41cdbe6bce476e08d3251c0d501feaf10a9f3", "digest": { "function_hash": "315099493041212759892598695203681335608", "length": 2438.0 }, "signature_type": "Function", "deprecated": false }, { "signature_version": "v1", "id": "CVE-2025-22005-4d3b9eea", "target": { "file": "net/ipv6/route.c" }, "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@16267a5036173d0173377545b4b6021b081d0933", "digest": { "threshold": 0.9, "line_hashes": [ "178187642252968961619650435106176112613", "331754963269561159871337280247929911025", "149127237763579250331288641875014623800", "210713610720029046038947909533351913993" ] }, "signature_type": "Line", "deprecated": false }, { "signature_version": "v1", "id": "CVE-2025-22005-6fffc9da", "target": { "file": "net/ipv6/route.c" }, "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@1bd12dfc058e1e68759d313d7727d68dbc1b8964", "digest": { "threshold": 0.9, "line_hashes": [ "178187642252968961619650435106176112613", "331754963269561159871337280247929911025", "149127237763579250331288641875014623800", "210713610720029046038947909533351913993" ] }, "signature_type": "Line", "deprecated": false }, { "signature_version": "v1", "id": "CVE-2025-22005-801f888c", "target": { "file": "net/ipv6/route.c" }, "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@d3d5b4b5ae263c3225db363ba08b937e2e2b0380", "digest": { "threshold": 0.9, "line_hashes": [ "178187642252968961619650435106176112613", "331754963269561159871337280247929911025", "3088718382648876309173696592418825960", "184609717889866676676110063047093301152" ] }, "signature_type": "Line", "deprecated": false }, { "signature_version": "v1", "id": "CVE-2025-22005-8310a629", "target": { "file": "net/ipv6/route.c", "function": "fib6_nh_init" }, "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@d3d5b4b5ae263c3225db363ba08b937e2e2b0380", "digest": { "function_hash": "218265568875545901204531635836024715719", "length": 2471.0 }, "signature_type": "Function", "deprecated": false }, { "signature_version": "v1", "id": "CVE-2025-22005-8a52b343", "target": { "file": "net/ipv6/route.c", "function": "fib6_nh_init" }, "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@9740890ee20e01f99ff1dde84c63dcf089fabb98", "digest": { "function_hash": "218265568875545901204531635836024715719", "length": 2471.0 }, "signature_type": "Function", "deprecated": false }, { "signature_version": "v1", "id": "CVE-2025-22005-98c809a7", "target": { "file": "net/ipv6/route.c", "function": "fib6_nh_init" }, "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@29d91820184d5cbc70f3246d4911d96eaeb930d6", "digest": { "function_hash": "218265568875545901204531635836024715719", "length": 2471.0 }, "signature_type": "Function", "deprecated": false }, { "signature_version": "v1", "id": "CVE-2025-22005-9948c2ac", "target": { "file": "net/ipv6/route.c" }, "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@119dcafe36795a15ae53351cbbd6177aaf94ffef", "digest": { "threshold": 0.9, "line_hashes": [ "178187642252968961619650435106176112613", "331754963269561159871337280247929911025", "3088718382648876309173696592418825960", "184609717889866676676110063047093301152" ] }, "signature_type": "Line", "deprecated": false }, { "signature_version": "v1", "id": "CVE-2025-22005-a6554a2f", "target": { "file": "net/ipv6/route.c" }, "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@9740890ee20e01f99ff1dde84c63dcf089fabb98", "digest": { "threshold": 0.9, "line_hashes": [ "178187642252968961619650435106176112613", "331754963269561159871337280247929911025", "3088718382648876309173696592418825960", "184609717889866676676110063047093301152" ] }, "signature_type": "Line", "deprecated": false }, { "signature_version": "v1", "id": "CVE-2025-22005-cafebb64", "target": { "file": "net/ipv6/route.c" }, "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@596a883c4ce2d2e9c175f25b98fed3a1f33fea38", "digest": { "threshold": 0.9, "line_hashes": [ "178187642252968961619650435106176112613", "331754963269561159871337280247929911025", "213266765380318648067154810717484071373", "182827368364931382923953718546577747827" ] }, "signature_type": "Line", "deprecated": false }, { "signature_version": "v1", "id": "CVE-2025-22005-de17d57e", "target": { "file": "net/ipv6/route.c", "function": "fib6_nh_init" }, "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@1bd12dfc058e1e68759d313d7727d68dbc1b8964", "digest": { "function_hash": "233021899397054063902113724263203156203", "length": 2390.0 }, "signature_type": "Function", "deprecated": false }, { "signature_version": "v1", "id": "CVE-2025-22005-e5d56f48", "target": { "file": "net/ipv6/route.c" }, "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@29d91820184d5cbc70f3246d4911d96eaeb930d6", "digest": { "threshold": 0.9, "line_hashes": [ "178187642252968961619650435106176112613", "331754963269561159871337280247929911025", "3088718382648876309173696592418825960", "184609717889866676676110063047093301152" ] }, "signature_type": "Line", "deprecated": false }, { "signature_version": "v1", "id": "CVE-2025-22005-ea0166a0", "target": { "file": "net/ipv6/route.c", "function": "fib6_nh_init" }, "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@596a883c4ce2d2e9c175f25b98fed3a1f33fea38", "digest": { "function_hash": "314344453285527627393745475770189834146", "length": 2379.0 }, "signature_type": "Function", "deprecated": false }, { "signature_version": "v1", "id": "CVE-2025-22005-f5dd0828", "target": { "file": "net/ipv6/route.c" }, "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@77c41cdbe6bce476e08d3251c0d501feaf10a9f3", "digest": { "threshold": 0.9, "line_hashes": [ "178187642252968961619650435106176112613", "331754963269561159871337280247929911025", "213266765380318648067154810717484071373", "182827368364931382923953718546577747827" ] }, "signature_type": "Line", "deprecated": false }, { "signature_version": "v1", "id": "CVE-2025-22005-f96d4071", "target": { "file": "net/ipv6/route.c", "function": "fib6_nh_init" }, "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@16267a5036173d0173377545b4b6021b081d0933", "digest": { "function_hash": "4238682421156610885505044516356137634", "length": 2258.0 }, "signature_type": "Function", "deprecated": false } ]