CVE-2025-22103

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2025-22103

Import Source

https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-22103.json

JSON Data

https://api.test.osv.dev/v1/vulns/CVE-2025-22103

Downstream

BELL-CVE-2025-22103

DEBIAN-CVE-2025-22103

DSA-6008-1

ECHO-7776-ed3c-bfbe

OESA-2025-1878

OESA-2025-1879

OESA-2025-1880

SUSE-SU-2025:01919-1

SUSE-SU-2025:01951-1

SUSE-SU-2025:01964-1

SUSE-SU-2025:01965-1

SUSE-SU-2025:01967-1

UBUNTU-CVE-2025-22103

USN-7594-1

USN-7594-2

USN-7594-3

Related

Published

2025-04-16T15:16:04Z

Modified

2025-09-09T17:15:42Z

Summary

[none]

Details

In the Linux kernel, the following vulnerability has been resolved:

net: fix NULL pointer dereference in l3mdevl3rcv

When delete l3s ipvlan:

ip link del link eth0 ipvlan1 type ipvlan mode l3s

This may cause a null pointer dereference:

Call trace:
 ip_rcv_finish+0x48/0xd0
 ip_rcv+0x5c/0x100
 __netif_receive_skb_one_core+0x64/0xb0
 __netif_receive_skb+0x20/0x80
 process_backlog+0xb4/0x204
 napi_poll+0xe8/0x294
 net_rx_action+0xd8/0x22c
 __do_softirq+0x12c/0x354

This is because l3mdevl3rcv() visit dev->l3mdevops after ipvlanl3sunregister() assign the dev->l3mdevops to NULL. The process like this:

(CPU1)                     | (CPU2)
l3mdev_l3_rcv()            |
  check dev->priv_flags:   |
    master = skb->dev;     |
                           |
                           | ipvlan_l3s_unregister()
                           |   set dev->priv_flags
                           |   dev->l3mdev_ops = NULL;
                           |
  visit master->l3mdev_ops |

To avoid this by do not set dev->l3mdev_ops when unregister l3s ipvlan.

References

CVE-2025-22103

Affected packages