CVE-2025-38019
- Source
- https://nvd.nist.gov/vuln/detail/CVE-2025-38019
- Import Source
- https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-38019.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/CVE-2025-38019
- Downstream
- Published
- 2025-06-18T10:15:33Z
- Modified
- 2025-07-01T16:31:42.887220Z
- Summary
- [none]
- Details
-
In the Linux kernel, the following vulnerability has been resolved:
mlxsw: spectrum_router: Fix use-after-free when deleting GRE net devices
The driver only offloads neighbors that are constructed on top of net devices registered by it or their uppers (which are all Ethernet). The device supports GRE encapsulation and decapsulation of forwarded traffic, but the driver will not offload dummy neighbors constructed on top of GRE net devices as they are not uppers of its net devices:
# ip link add name gre1 up type gre tos inherit local 192.0.2.1 remote 198.51.100.1 # ip neigh add 0.0.0.0 lladdr 0.0.0.0 nud noarp dev gre1 $ ip neigh show dev gre1 nud noarp 0.0.0.0 lladdr 0.0.0.0 NOARP
(Note that the neighbor is not marked with 'offload')
When the driver is reloaded and the existing configuration is replayed, the driver does not perform the same check regarding existing neighbors and offloads the previously added one:
# devlink dev reload pci/0000:01:00.0 $ ip neigh show dev gre1 nud noarp 0.0.0.0 lladdr 0.0.0.0 offload NOARP
If the neighbor is later deleted, the driver will ignore the notification (given the GRE net device is not its upper) and will therefore keep referencing freed memory, resulting in a use-after-free [1] when the net device is deleted:
# ip neigh del 0.0.0.0 lladdr 0.0.0.0 dev gre1 # ip link del dev gre1
Fix by skipping neighbor replay if the net device for which the replay is performed is not our upper.
[1] BUG: KASAN: slab-use-after-free in mlxswspneighentryupdate+0x1ea/0x200 Read of size 8 at addr ffff888155b0e420 by task ip/2282 [...] Call Trace: <TASK> dumpstacklvl+0x6f/0xa0 printaddressdescription.constprop.0+0x6f/0x350 printreport+0x108/0x205 kasanreport+0xdf/0x110 mlxswspneighentryupdate+0x1ea/0x200 mlxswsprouterrifgonesync+0x2a8/0x440 mlxswsprifdestroy+0x1e9/0x750 mlxswspnetdeviceipipolevent+0x3c9/0xdc0 mlxswsprouternetdeviceevent+0x3ac/0x15e0 notifiercallchain+0xca/0x150 callnetdevicenotifiersinfo+0x7f/0x100 unregisternetdevicemanynotify+0xc8c/0x1d90 rtnldellink+0x34e/0xa50 rtnetlinkrcvmsg+0x6fb/0xb70 netlinkrcvskb+0x131/0x360 netlinkunicast+0x426/0x710 netlinksendmsg+0x75a/0xc20 socksendmsg+0xc1/0x150 _syssendmsg+0x5aa/0x7b0 _syssendmsg+0xfc/0x180 _syssendmsg+0x121/0x1b0 dosyscall64+0xbb/0x1d0 entrySYSCALL64afterhwframe+0x4b/0x53
- References
-
- https://git.kernel.org/stable/c/92ec4855034b2c4d13f117558dc73d20581fa9ff
- https://git.kernel.org/stable/c/9ab7945f3a61ed23da412e30f1e56414c05c4f06
- https://git.kernel.org/stable/c/abc43c1ffdbc801b0b04ac845bfaf1d42b8f68f7
- https://git.kernel.org/stable/c/f1ecccb5cdda39bca8cd17bb0b6cf61361e33578
- https://security-tracker.debian.org/tracker/CVE-2025-38019
Affected packages
Debian:13 / linux
Package
- Name
- linux
- Purl
- pkg:deb/debian/linux?arch=source
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed6.12.30-1