CVE-2025-38500
- Source
- https://nvd.nist.gov/vuln/detail/CVE-2025-38500
- Import Source
- https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-38500.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/CVE-2025-38500
- Downstream
- Related
- Published
- 2025-08-12T16:02:42Z
- Modified
- 2025-10-18T04:32:57.087554Z
- Severity
-
- 7.8 (High) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
- Summary
- xfrm: interface: fix use-after-free after changing collect_md xfrm interface
- Details
-
In the Linux kernel, the following vulnerability has been resolved:
xfrm: interface: fix use-after-free after changing collect_md xfrm interface
collectmd property on xfrm interfaces can only be set on device creation, thus xfrmichangelink() should fail when called on such interfaces.
The check to enforce this was done only in the case where the xi was returned from xfrmilocate() which doesn't look for the collectmd interface, and thus the validation was never reached.
Calling changelink would thus errornously place the special interface xi in the xfrminet->xfrmi hash, but since it also exists in the xfrminet->collectmdxfrmi pointer it would lead to a double free when the net namespace was taken down [1].
Change the check to use the xi from netdevpriv which is available earlier in the function to prevent changes in xfrm collectmd interfaces.
[1] resulting oops: [ 8.516540] kernel BUG at net/core/dev.c:12029! [ 8.516552] Oops: invalid opcode: 0000 [#1] SMP NOPTI [ 8.516559] CPU: 0 UID: 0 PID: 12 Comm: kworker/u80:0 Not tainted 6.15.0-virtme #5 PREEMPT(voluntary) [ 8.516565] Hardware name: QEMU Ubuntu 24.04 PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 8.516569] Workqueue: netns cleanupnet [ 8.516579] RIP: 0010:unregisternetdevicemanynotify+0x101/0xab0 [ 8.516590] Code: 90 0f 0b 90 48 8b b0 78 01 00 00 48 8b 90 80 01 00 00 48 89 56 08 48 89 32 4c 89 80 78 01 00 00 48 89 b8 80 01 00 00 eb ac 90 <0f> 0b 48 8b 45 00 4c 8d a0 88 fe ff ff 48 39 c5 74 5c 41 80 bc 24 [ 8.516593] RSP: 0018:ffffa93b8006bd30 EFLAGS: 00010206 [ 8.516598] RAX: ffff98fe4226e000 RBX: ffffa93b8006bd58 RCX: ffffa93b8006bc60 [ 8.516601] RDX: 0000000000000004 RSI: 0000000000000000 RDI: dead000000000122 [ 8.516603] RBP: ffffa93b8006bdd8 R08: dead000000000100 R09: ffff98fe4133c100 [ 8.516605] R10: 0000000000000000 R11: 00000000000003d2 R12: ffffa93b8006be00 [ 8.516608] R13: ffffffff96c1a510 R14: ffffffff96c1a510 R15: ffffa93b8006be00 [ 8.516615] FS: 0000000000000000(0000) GS:ffff98fee73b7000(0000) knlGS:0000000000000000 [ 8.516619] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 8.516622] CR2: 00007fcd2abd0700 CR3: 000000003aa40000 CR4: 0000000000752ef0 [ 8.516625] PKRU: 55555554 [ 8.516627] Call Trace: [ 8.516632] <TASK> [ 8.516635] ? rtnlislocked+0x15/0x20 [ 8.516641] ? unregisternetdevicequeue+0x29/0xf0 [ 8.516650] opsundolist+0x1f2/0x220 [ 8.516659] cleanupnet+0x1ad/0x2e0 [ 8.516664] processonework+0x160/0x380 [ 8.516673] workerthread+0x2aa/0x3c0 [ 8.516679] ? _pfxworkerthread+0x10/0x10 [ 8.516686] kthread+0xfb/0x200 [ 8.516690] ? _pfxkthread+0x10/0x10 [ 8.516693] ? _pfxkthread+0x10/0x10 [ 8.516697] retfromfork+0x82/0xf0 [ 8.516705] ? _pfxkthread+0x10/0x10 [ 8.516709] retfromforkasm+0x1a/0x30 [ 8.516718] </TASK>
- References
-
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- https://git.kernel.org/stable/c/5918c3f4800a3aef2173865e5903370f21e24f47
- https://git.kernel.org/stable/c/69a31f7a6a81f5ffd3812c442e09ff0be22960f1
- https://git.kernel.org/stable/c/a8d4748b954584ab7bd800f1a4e46d5b0eeb5ce4
- https://git.kernel.org/stable/c/a90b2a1aaacbcf0f91d7e4868ad6c51c5dee814b
- https://git.kernel.org/stable/c/bfebdb85496e1da21d3cf05de099210915c3e706
Affected packages
Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Affected ranges
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introducedabc340b38ba25cd6c7aa2c0bd9150d30738c82d0Fixeda8d4748b954584ab7bd800f1a4e46d5b0eeb5ce4
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introducedabc340b38ba25cd6c7aa2c0bd9150d30738c82d0Fixedbfebdb85496e1da21d3cf05de099210915c3e706
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introducedabc340b38ba25cd6c7aa2c0bd9150d30738c82d0Fixed5918c3f4800a3aef2173865e5903370f21e24f47
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introducedabc340b38ba25cd6c7aa2c0bd9150d30738c82d0Fixed69a31f7a6a81f5ffd3812c442e09ff0be22960f1
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introducedabc340b38ba25cd6c7aa2c0bd9150d30738c82d0Fixeda90b2a1aaacbcf0f91d7e4868ad6c51c5dee814b
Affected versions
v6.*
v6.0
v6.0-rc1
v6.0-rc2
v6.0-rc3
v6.0-rc4
v6.0-rc5
v6.0-rc6
v6.0-rc7
v6.1
v6.1-rc1
v6.1-rc2
v6.1-rc3
v6.1-rc4
v6.1-rc5
v6.1-rc6
v6.1-rc7
v6.1-rc8
v6.1.1
v6.1.10
v6.1.100
v6.1.101
v6.1.102
v6.1.103
v6.1.104
v6.1.105
v6.1.106
v6.1.107
v6.1.108
v6.1.109
v6.1.11
v6.1.110
v6.1.111
v6.1.112
v6.1.113
v6.1.114
v6.1.115
v6.1.116
v6.1.117
v6.1.118
v6.1.119
v6.1.12
v6.1.120
v6.1.121
v6.1.122
v6.1.123
v6.1.124
v6.1.125
v6.1.126
v6.1.127
v6.1.128
v6.1.129
v6.1.13
v6.1.130
v6.1.131
v6.1.132
v6.1.133
v6.1.134
v6.1.135
v6.1.136
v6.1.137
v6.1.138
v6.1.139
v6.1.14
v6.1.140
v6.1.141
v6.1.142
v6.1.143
v6.1.144
v6.1.145
v6.1.146
v6.1.147
v6.1.15
v6.1.16
v6.1.17
v6.1.18
v6.1.19
v6.1.2
v6.1.20
v6.1.21
v6.1.22
v6.1.23
v6.1.24
v6.1.25
v6.1.26
v6.1.27
v6.1.28
v6.1.29
v6.1.3
v6.1.30
v6.1.31
v6.1.32
v6.1.33
v6.1.34
v6.1.35
v6.1.36
v6.1.37
v6.1.38
v6.1.39
v6.1.4
v6.1.40
v6.1.41
v6.1.42
v6.1.43
v6.1.44
v6.1.45
v6.1.46
v6.1.47
v6.1.48
v6.1.49
v6.1.5
v6.1.50
v6.1.51
v6.1.52
v6.1.53
v6.1.54
v6.1.55
v6.1.56
v6.1.57
v6.1.58
v6.1.59
v6.1.6
v6.1.60
v6.1.61
v6.1.62
v6.1.63
v6.1.64
v6.1.65
v6.1.66
v6.1.67
v6.1.68
v6.1.69
v6.1.7
v6.1.70
v6.1.71
v6.1.72
v6.1.73
v6.1.74
v6.1.75
v6.1.76
v6.1.77
v6.1.78
v6.1.79
v6.1.8
v6.1.80
v6.1.81
v6.1.82
v6.1.83
v6.1.84
v6.1.85
v6.1.86
v6.1.87
v6.1.88
v6.1.89
v6.1.9
v6.1.90
v6.1.91
v6.1.92
v6.1.93
v6.1.94
v6.1.95
v6.1.96
v6.1.97
v6.1.98
v6.1.99
v6.10
v6.10-rc1
v6.10-rc2
v6.10-rc3
v6.10-rc4
v6.10-rc5
v6.10-rc6
v6.10-rc7
v6.11
v6.11-rc1
v6.11-rc2
v6.11-rc3
v6.11-rc4
v6.11-rc5
v6.11-rc6
v6.11-rc7
v6.12
v6.12-rc1
v6.12-rc2
v6.12-rc3
v6.12-rc4
v6.12-rc5
v6.12-rc6
v6.12-rc7
v6.12.1
v6.12.10
v6.12.11
v6.12.12
v6.12.13
v6.12.14
v6.12.15
v6.12.16
v6.12.17
v6.12.18
v6.12.19
v6.12.2
v6.12.20
v6.12.21
v6.12.22
v6.12.23
v6.12.24
v6.12.25
v6.12.26
v6.12.27
v6.12.28
v6.12.29
v6.12.3
v6.12.30
v6.12.31
v6.12.32
v6.12.33
v6.12.34
v6.12.35
v6.12.36
v6.12.37
v6.12.38
v6.12.39
v6.12.4
v6.12.40
v6.12.5
v6.12.6
v6.12.7
v6.12.8
v6.12.9
v6.13
v6.13-rc1
v6.13-rc2
v6.13-rc3
v6.13-rc4
v6.13-rc5
v6.13-rc6
v6.13-rc7
v6.14
v6.14-rc1
v6.14-rc2
v6.14-rc3
v6.14-rc4
v6.14-rc5
v6.14-rc6
v6.14-rc7
v6.15
v6.15-rc1
v6.15-rc2
v6.15-rc3
v6.15-rc4
v6.15-rc5
v6.15-rc6
v6.15-rc7
v6.15.1
v6.15.2
v6.15.3
v6.15.4
v6.15.5
v6.15.6
v6.15.7
v6.15.8
v6.2
v6.2-rc1
v6.2-rc2
v6.2-rc3
v6.2-rc4
v6.2-rc5
v6.2-rc6
v6.2-rc7
v6.2-rc8
v6.3
v6.3-rc1
v6.3-rc2
v6.3-rc3
v6.3-rc4
v6.3-rc5
v6.3-rc6
v6.3-rc7
v6.4
v6.4-rc1
v6.4-rc2
v6.4-rc3
v6.4-rc4
v6.4-rc5
v6.4-rc6
v6.4-rc7
v6.5
v6.5-rc1
v6.5-rc2
v6.5-rc3
v6.5-rc4
v6.5-rc5
v6.5-rc6
v6.5-rc7
v6.6
v6.6-rc1
v6.6-rc2
v6.6-rc3
v6.6-rc4
v6.6-rc5
v6.6-rc6
v6.6-rc7
v6.6.1
v6.6.10
v6.6.100
v6.6.11
v6.6.12
v6.6.13
v6.6.14
v6.6.15
v6.6.16
v6.6.17
v6.6.18
v6.6.19
v6.6.2
v6.6.20
v6.6.21
v6.6.22
v6.6.23
v6.6.24
v6.6.25
v6.6.26
v6.6.27
v6.6.28
v6.6.29
v6.6.3
v6.6.30
v6.6.31
v6.6.32
v6.6.33
v6.6.34
v6.6.35
v6.6.36
v6.6.37
v6.6.38
v6.6.39
v6.6.4
v6.6.40
v6.6.41
v6.6.42
v6.6.43
v6.6.44
v6.6.45
v6.6.46
v6.6.47
v6.6.48
v6.6.49
v6.6.5
v6.6.50
v6.6.51
v6.6.52
v6.6.53
v6.6.54
v6.6.55
v6.6.56
v6.6.57
v6.6.58
v6.6.59
v6.6.6
v6.6.60
v6.6.61
v6.6.62
v6.6.63
v6.6.64
v6.6.65
v6.6.66
v6.6.67
v6.6.68
v6.6.69
v6.6.7
v6.6.70
v6.6.71
v6.6.72
v6.6.73
v6.6.74
v6.6.75
v6.6.76
v6.6.77
v6.6.78
v6.6.79
v6.6.8
v6.6.80
v6.6.81
v6.6.82
v6.6.83
v6.6.84
v6.6.85
v6.6.86
v6.6.87
v6.6.88
v6.6.89
v6.6.9
v6.6.90
v6.6.91
v6.6.92
v6.6.93
v6.6.94
v6.6.95
v6.6.96
v6.6.97
v6.6.98
v6.6.99
v6.7
v6.7-rc1
v6.7-rc2
v6.7-rc3
v6.7-rc4
v6.7-rc5
v6.7-rc6
v6.7-rc7
v6.7-rc8
v6.8
v6.8-rc1
v6.8-rc2
v6.8-rc3
v6.8-rc4
v6.8-rc5
v6.8-rc6
v6.8-rc7
v6.9
v6.9-rc1
v6.9-rc2
v6.9-rc3
v6.9-rc4
v6.9-rc5
v6.9-rc6
v6.9-rc7
Database specific
vanir_signatures
[
{
"signature_version": "v1",
"target": {
"file": "net/xfrm/xfrm_interface_core.c"
},
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@69a31f7a6a81f5ffd3812c442e09ff0be22960f1",
"digest": {
"line_hashes": [
"251665910003892771853812828010632021349",
"218567249839053365318169661685465520025",
"28715266386234775550874733668135609724",
"9052779957901998673224515260051326068",
"66360540548241684469203684994685099719",
"56096645851349090778449293958584703143",
"174180228856989362291459673884566681692",
"8486616004530612224040872841152961603",
"287301522705319283045177362682993059724",
"259636837053541055601193816975929404724",
"319990410815632196029352401505637333036",
"307442544394176117815473839175305384137"
],
"threshold": 0.9
},
"deprecated": false,
"id": "CVE-2025-38500-0975e93b",
"signature_type": "Line"
},
{
"signature_version": "v1",
"target": {
"function": "xfrmi_changelink",
"file": "net/xfrm/xfrm_interface_core.c"
},
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@bfebdb85496e1da21d3cf05de099210915c3e706",
"digest": {
"length": 682.0,
"function_hash": "101386572577774279141785367962780376593"
},
"deprecated": false,
"id": "CVE-2025-38500-4df8b0db",
"signature_type": "Function"
},
{
"signature_version": "v1",
"target": {
"function": "xfrmi_changelink",
"file": "net/xfrm/xfrm_interface_core.c"
},
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@a8d4748b954584ab7bd800f1a4e46d5b0eeb5ce4",
"digest": {
"length": 682.0,
"function_hash": "101386572577774279141785367962780376593"
},
"deprecated": false,
"id": "CVE-2025-38500-63596e56",
"signature_type": "Function"
},
{
"signature_version": "v1",
"target": {
"function": "xfrmi_changelink",
"file": "net/xfrm/xfrm_interface_core.c"
},
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@5918c3f4800a3aef2173865e5903370f21e24f47",
"digest": {
"length": 682.0,
"function_hash": "101386572577774279141785367962780376593"
},
"deprecated": false,
"id": "CVE-2025-38500-8376ddda",
"signature_type": "Function"
},
{
"signature_version": "v1",
"target": {
"file": "net/xfrm/xfrm_interface_core.c"
},
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@5918c3f4800a3aef2173865e5903370f21e24f47",
"digest": {
"line_hashes": [
"251665910003892771853812828010632021349",
"218567249839053365318169661685465520025",
"28715266386234775550874733668135609724",
"9052779957901998673224515260051326068",
"66360540548241684469203684994685099719",
"56096645851349090778449293958584703143",
"174180228856989362291459673884566681692",
"8486616004530612224040872841152961603",
"287301522705319283045177362682993059724",
"259636837053541055601193816975929404724",
"319990410815632196029352401505637333036",
"307442544394176117815473839175305384137"
],
"threshold": 0.9
},
"deprecated": false,
"id": "CVE-2025-38500-8856bf9a",
"signature_type": "Line"
},
{
"signature_version": "v1",
"target": {
"file": "net/xfrm/xfrm_interface_core.c"
},
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@a8d4748b954584ab7bd800f1a4e46d5b0eeb5ce4",
"digest": {
"line_hashes": [
"251665910003892771853812828010632021349",
"218567249839053365318169661685465520025",
"28715266386234775550874733668135609724",
"9052779957901998673224515260051326068",
"66360540548241684469203684994685099719",
"56096645851349090778449293958584703143",
"174180228856989362291459673884566681692",
"8486616004530612224040872841152961603",
"287301522705319283045177362682993059724",
"259636837053541055601193816975929404724",
"319990410815632196029352401505637333036",
"307442544394176117815473839175305384137"
],
"threshold": 0.9
},
"deprecated": false,
"id": "CVE-2025-38500-aec9b47a",
"signature_type": "Line"
},
{
"signature_version": "v1",
"target": {
"file": "net/xfrm/xfrm_interface_core.c"
},
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@bfebdb85496e1da21d3cf05de099210915c3e706",
"digest": {
"line_hashes": [
"251665910003892771853812828010632021349",
"218567249839053365318169661685465520025",
"28715266386234775550874733668135609724",
"9052779957901998673224515260051326068",
"66360540548241684469203684994685099719",
"56096645851349090778449293958584703143",
"174180228856989362291459673884566681692",
"8486616004530612224040872841152961603",
"287301522705319283045177362682993059724",
"259636837053541055601193816975929404724",
"319990410815632196029352401505637333036",
"307442544394176117815473839175305384137"
],
"threshold": 0.9
},
"deprecated": false,
"id": "CVE-2025-38500-b1cd8639",
"signature_type": "Line"
},
{
"signature_version": "v1",
"target": {
"function": "xfrmi_changelink",
"file": "net/xfrm/xfrm_interface_core.c"
},
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@69a31f7a6a81f5ffd3812c442e09ff0be22960f1",
"digest": {
"length": 682.0,
"function_hash": "101386572577774279141785367962780376593"
},
"deprecated": false,
"id": "CVE-2025-38500-d7852880",
"signature_type": "Function"
},
{
"signature_version": "v1",
"target": {
"file": "net/xfrm/xfrm_interface_core.c"
},
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@a90b2a1aaacbcf0f91d7e4868ad6c51c5dee814b",
"digest": {
"line_hashes": [
"251665910003892771853812828010632021349",
"218567249839053365318169661685465520025",
"28715266386234775550874733668135609724",
"9052779957901998673224515260051326068",
"66360540548241684469203684994685099719",
"56096645851349090778449293958584703143",
"174180228856989362291459673884566681692",
"8486616004530612224040872841152961603",
"287301522705319283045177362682993059724",
"259636837053541055601193816975929404724",
"319990410815632196029352401505637333036",
"307442544394176117815473839175305384137"
],
"threshold": 0.9
},
"deprecated": false,
"id": "CVE-2025-38500-ebf2fb59",
"signature_type": "Line"
},
{
"signature_version": "v1",
"target": {
"function": "xfrmi_changelink",
"file": "net/xfrm/xfrm_interface_core.c"
},
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@a90b2a1aaacbcf0f91d7e4868ad6c51c5dee814b",
"digest": {
"length": 682.0,
"function_hash": "101386572577774279141785367962780376593"
},
"deprecated": false,
"id": "CVE-2025-38500-fbc73e0f",
"signature_type": "Function"
}
]