CVE-2025-22103

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2025-22103

Import Source

https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-22103.json

JSON Data

https://api.test.osv.dev/v1/vulns/CVE-2025-22103

Downstream

BELL-CVE-2025-22103

DEBIAN-CVE-2025-22103

DSA-6008-1

ECHO-7776-ed3c-bfbe

MINI-7hpm-hw69-7q7c

OESA-2025-1878

OESA-2025-1879

OESA-2025-1880

ROOT-OS-DEBIAN-11-CVE-2025-22103

ROOT-OS-DEBIAN-12-CVE-2025-22103

ROOT-OS-DEBIAN-13-CVE-2025-22103

ROOT-OS-UBUNTU-2204-CVE-2025-22103

ROOT-OS-UBUNTU-2404-CVE-2025-22103

SUSE-SU-2025:01919-1

SUSE-SU-2025:01951-1

SUSE-SU-2025:01964-1

SUSE-SU-2025:01965-1

SUSE-SU-2025:01967-1

SUSE-SU-2025:01972-1

SUSE-SU-2025:02000-1

SUSE-SU-2025:20408-1

SUSE-SU-2025:20413-1

SUSE-SU-2025:20419-1

SUSE-SU-2025:20421-1

UBUNTU-CVE-2025-22103

USN-7594-1

USN-7594-2

USN-7594-3

USN-8095-1

USN-8095-2

USN-8095-3

USN-8095-4

USN-8100-1

USN-8125-1

USN-8126-1

Related

Published

2025-04-16T14:12:52.164Z

Modified

2026-03-20T12:41:19.441551Z

Summary

net: fix NULL pointer dereference in l3mdev_l3_rcv

Details

In the Linux kernel, the following vulnerability has been resolved:

net: fix NULL pointer dereference in l3mdevl3rcv

When delete l3s ipvlan:

ip link del link eth0 ipvlan1 type ipvlan mode l3s

This may cause a null pointer dereference:

Call trace:
 ip_rcv_finish+0x48/0xd0
 ip_rcv+0x5c/0x100
 __netif_receive_skb_one_core+0x64/0xb0
 __netif_receive_skb+0x20/0x80
 process_backlog+0xb4/0x204
 napi_poll+0xe8/0x294
 net_rx_action+0xd8/0x22c
 __do_softirq+0x12c/0x354

This is because l3mdevl3rcv() visit dev->l3mdevops after ipvlanl3sunregister() assign the dev->l3mdevops to NULL. The process like this:

(CPU1)                     | (CPU2)
l3mdev_l3_rcv()            |
  check dev->priv_flags:   |
    master = skb->dev;     |
                           |
                           | ipvlan_l3s_unregister()
                           |   set dev->priv_flags
                           |   dev->l3mdev_ops = NULL;
                           |
  visit master->l3mdev_ops |

To avoid this by do not set dev->l3mdev_ops when unregister l3s ipvlan.

Database specific

{
    "cna_assigner": "Linux",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/22xxx/CVE-2025-22103.json"
}

References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type: GIT
Repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events: Introduced

c675e06a98a474f7ad0af32ce467613da818da52

Fixed

52b44d8c653459c658b733d13658afdde45f6836

Fixed

59599bce44af3df7a215ebc81cb166426e1c9204

Fixed

f9dff65140efc289f01bcf39c3ca66a8806b6132

Fixed

0032c99e83b9ce6d5995d65900aa4b6ffb501cce

Database specific

source

"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-22103.json"