CVE-2025-38476
- Source
- https://nvd.nist.gov/vuln/detail/CVE-2025-38476
- Import Source
- https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-38476.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/CVE-2025-38476
- Downstream
- Published
- 2025-07-28T12:15:29Z
- Modified
- 2025-07-29T14:49:58.409400Z
- Summary
- [none]
- Details
-
In the Linux kernel, the following vulnerability has been resolved:
rpl: Fix use-after-free in rpldosrh_inline().
Running lwtdstcacherefloop.sh in selftest with KASAN triggers the splat below [0].
rpldosrhinline() fetches ipv6hdr(skb) and accesses it after skbcowhead(), which is illegal as the header could be freed then.
Let's fix it by making oldhdr to a local struct instead of a pointer.
... TEST: rpl (input) [ 57.631529] ================================================================== BUG: KASAN: slab-use-after-free in rpldosrhinline.isra.0 (net/ipv6/rpliptunnel.c:174) Read of size 40 at addr ffff888122bf96d8 by task ping6/1543
CPU: 50 UID: 0 PID: 1543 Comm: ping6 Not tainted 6.16.0-rc5-01302-gfadd1e6231b1 #23 PREEMPT(voluntary) Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 Call Trace: <IRQ> dumpstacklvl (lib/dumpstack.c:122) printreport (mm/kasan/report.c:409 mm/kasan/report.c:521) kasanreport (mm/kasan/report.c:221 mm/kasan/report.c:636) kasancheckrange (mm/kasan/generic.c:175 (discriminator 1) mm/kasan/generic.c:189 (discriminator 1)) _asanmemmove (mm/kasan/shadow.c:94 (discriminator 2)) rpldosrhinline.isra.0 (net/ipv6/rpliptunnel.c:174) rplinput (net/ipv6/rpliptunnel.c:201 net/ipv6/rpliptunnel.c:282) lwtunnelinput (net/core/lwtunnel.c:459) ipv6rcv (./include/net/dst.h:471 (discriminator 1) ./include/net/dst.h:469 (discriminator 1) net/ipv6/ip6input.c:79 (discriminator 1) ./include/linux/netfilter.h:317 (discriminator 1) ./include/linux/netfilter.h:311 (discriminator 1) net/ipv6/ip6input.c:311 (discriminator 1)) _netifreceiveskbonecore (net/core/dev.c:5967) processbacklog (./include/linux/rcupdate.h:869 net/core/dev.c:6440) _napipoll.constprop.0 (net/core/dev.c:7452) netrxaction (net/core/dev.c:7518 net/core/dev.c:7643) handlesoftirqs (kernel/softirq.c:579) dosoftirq (kernel/softirq.c:480 (discriminator 20)) </IRQ> <TASK> _localbhenableip (kernel/softirq.c:407) _devqueuexmit (net/core/dev.c:4740) ip6finishoutput2 (./include/linux/netdevice.h:3358 ./include/net/neighbour.h:526 ./include/net/neighbour.h:540 net/ipv6/ip6output.c:141) ip6finishoutput (net/ipv6/ip6output.c:215 net/ipv6/ip6output.c:226) ip6output (./include/linux/netfilter.h:306 net/ipv6/ip6output.c:248) ip6sendskb (net/ipv6/ip6output.c:1983) rawv6sendmsg (net/ipv6/raw.c:588 net/ipv6/raw.c:918) _syssendto (net/socket.c:714 (discriminator 1) net/socket.c:729 (discriminator 1) net/socket.c:2228 (discriminator 1)) _x64syssendto (net/socket.c:2231) dosyscall64 (arch/x86/entry/syscall64.c:63 (discriminator 1) arch/x86/entry/syscall64.c:94 (discriminator 1)) entrySYSCALL64afterhwframe (arch/x86/entry/entry64.S:130) RIP: 0033:0x7f68cffb2a06 Code: 5d e8 41 8b 93 08 03 00 00 59 5e 48 83 f8 fc 75 19 83 e2 39 83 fa 08 75 11 e8 26 ff ff ff 66 0f 1f 44 00 00 48 8b 45 10 0f 05 <48> 8b 5d f8 c9 c3 0f 1f 40 00 f3 0f 1e fa 55 48 89 e5 48 83 ec 08 RSP: 002b:00007ffefb7c53d0 EFLAGS: 00000202 ORIG_RAX: 000000000000002c RAX: ffffffffffffffda RBX: 0000564cd69f10a0 RCX: 00007f68cffb2a06 RDX: 0000000000000040 RSI: 0000564cd69f10a4 RDI: 0000000000000003 RBP: 00007ffefb7c53f0 R08: 0000564cd6a032ac R09: 000000000000001c R10: 0000000000000000 R11: 0000000000000202 R12: 0000564cd69f10a4 R13: 0000000000000040 R14: 00007ffefb7c66e0 R15: 0000564cd69f10a0 </TASK>
Allocated by task 1543: kasansavestack (mm/kasan/common.c:48) kasansavetrack (mm/kasan/common.c:60 (discriminator 1) mm/kasan/common.c:69 (discriminator 1)) _kasanslaballoc (mm/kasan/common.c:319 mm/kasan/common.c:345) kmemcacheallocnodenoprof (./include/linux/kasan.h:250 mm/slub.c:4148 mm/slub.c:4197 mm/slub.c:4249) kmallocreserve (net/core/skbuff.c:581 (discriminator 88)) _allocskb (net/core/skbuff.c:669) _ip6appenddata (net/ipv6/ip6output.c:1672 (discriminator 1)) ip6_ ---truncated---
- References
-
- https://git.kernel.org/stable/c/034b428aa3583373a5a20b1c5931bb2b3cae1f36
- https://git.kernel.org/stable/c/06ec83b6c792fde1f710c1de3e836da6e257c4c4
- https://git.kernel.org/stable/c/62dcd9d6e61c39122d2f251a26829e2e55b0a11d
- https://git.kernel.org/stable/c/b640daa2822a39ff76e70200cb2b7b892b896dce
- https://git.kernel.org/stable/c/e8101506ab86dd78f823b7028f2036a380f3a12a
- https://security-tracker.debian.org/tracker/CVE-2025-38476
Affected packages
Debian:11 / linux
Package
- Name
- linux
- Purl
- pkg:deb/debian/linux?arch=source
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affected
Affected versions
5.*
6.*
Debian:12 / linux
Package
- Name
- linux
- Purl
- pkg:deb/debian/linux?arch=source
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affected
Affected versions
6.*
Debian:13 / linux
Package
- Name
- linux
- Purl
- pkg:deb/debian/linux?arch=source
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affected