CVE-2025-38500
- Source
- https://nvd.nist.gov/vuln/detail/CVE-2025-38500
- Import Source
- https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-38500.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/CVE-2025-38500
- Downstream
- Published
- 2025-08-12T16:15:27Z
- Modified
- 2025-08-15T17:18:28.265482Z
- Summary
- [none]
- Details
-
In the Linux kernel, the following vulnerability has been resolved:
xfrm: interface: fix use-after-free after changing collect_md xfrm interface
collectmd property on xfrm interfaces can only be set on device creation, thus xfrmichangelink() should fail when called on such interfaces.
The check to enforce this was done only in the case where the xi was returned from xfrmilocate() which doesn't look for the collectmd interface, and thus the validation was never reached.
Calling changelink would thus errornously place the special interface xi in the xfrminet->xfrmi hash, but since it also exists in the xfrminet->collectmdxfrmi pointer it would lead to a double free when the net namespace was taken down [1].
Change the check to use the xi from netdevpriv which is available earlier in the function to prevent changes in xfrm collectmd interfaces.
[1] resulting oops: [ 8.516540] kernel BUG at net/core/dev.c:12029! [ 8.516552] Oops: invalid opcode: 0000 [#1] SMP NOPTI [ 8.516559] CPU: 0 UID: 0 PID: 12 Comm: kworker/u80:0 Not tainted 6.15.0-virtme #5 PREEMPT(voluntary) [ 8.516565] Hardware name: QEMU Ubuntu 24.04 PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 8.516569] Workqueue: netns cleanupnet [ 8.516579] RIP: 0010:unregisternetdevicemanynotify+0x101/0xab0 [ 8.516590] Code: 90 0f 0b 90 48 8b b0 78 01 00 00 48 8b 90 80 01 00 00 48 89 56 08 48 89 32 4c 89 80 78 01 00 00 48 89 b8 80 01 00 00 eb ac 90 <0f> 0b 48 8b 45 00 4c 8d a0 88 fe ff ff 48 39 c5 74 5c 41 80 bc 24 [ 8.516593] RSP: 0018:ffffa93b8006bd30 EFLAGS: 00010206 [ 8.516598] RAX: ffff98fe4226e000 RBX: ffffa93b8006bd58 RCX: ffffa93b8006bc60 [ 8.516601] RDX: 0000000000000004 RSI: 0000000000000000 RDI: dead000000000122 [ 8.516603] RBP: ffffa93b8006bdd8 R08: dead000000000100 R09: ffff98fe4133c100 [ 8.516605] R10: 0000000000000000 R11: 00000000000003d2 R12: ffffa93b8006be00 [ 8.516608] R13: ffffffff96c1a510 R14: ffffffff96c1a510 R15: ffffa93b8006be00 [ 8.516615] FS: 0000000000000000(0000) GS:ffff98fee73b7000(0000) knlGS:0000000000000000 [ 8.516619] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 8.516622] CR2: 00007fcd2abd0700 CR3: 000000003aa40000 CR4: 0000000000752ef0 [ 8.516625] PKRU: 55555554 [ 8.516627] Call Trace: [ 8.516632] <TASK> [ 8.516635] ? rtnlislocked+0x15/0x20 [ 8.516641] ? unregisternetdevicequeue+0x29/0xf0 [ 8.516650] opsundolist+0x1f2/0x220 [ 8.516659] cleanupnet+0x1ad/0x2e0 [ 8.516664] processonework+0x160/0x380 [ 8.516673] workerthread+0x2aa/0x3c0 [ 8.516679] ? _pfxworkerthread+0x10/0x10 [ 8.516686] kthread+0xfb/0x200 [ 8.516690] ? _pfxkthread+0x10/0x10 [ 8.516693] ? _pfxkthread+0x10/0x10 [ 8.516697] retfromfork+0x82/0xf0 [ 8.516705] ? _pfxkthread+0x10/0x10 [ 8.516709] retfromforkasm+0x1a/0x30 [ 8.516718] </TASK>
- References
-
- https://git.kernel.org/stable/c/5918c3f4800a3aef2173865e5903370f21e24f47
- https://git.kernel.org/stable/c/69a31f7a6a81f5ffd3812c442e09ff0be22960f1
- https://git.kernel.org/stable/c/a8d4748b954584ab7bd800f1a4e46d5b0eeb5ce4
- https://git.kernel.org/stable/c/a90b2a1aaacbcf0f91d7e4868ad6c51c5dee814b
- https://git.kernel.org/stable/c/bfebdb85496e1da21d3cf05de099210915c3e706
- https://security-tracker.debian.org/tracker/CVE-2025-38500
Affected packages
Debian:12 / linux
Package
- Name
- linux
- Purl
- pkg:deb/debian/linux?arch=source
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affected
Affected versions
6.*
Debian:13 / linux
Package
- Name
- linux
- Purl
- pkg:deb/debian/linux?arch=source
Debian:14 / linux
Package
- Name
- linux
- Purl
- pkg:deb/debian/linux?arch=source
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affected