CVE-2025-38665

Andrei Lalaev reported a NULL pointer deref when a CAN device is restarted from Bus Off and the driver does not implement the struct canpriv::doset_mode callback.

There are 2 code path that call struct canpriv::dosetmode: - directly by a manual restart from the user space, via canchangelink() - delayed automatic restart after bus off (deactivated by default)

To prevent the NULL pointer deference, refuse a manual restart or configure the automatic restart delay in can_changelink() and report the error via extack to user space.

As an additional safety measure let canrestart() return an error if canpriv::dosetmode is not set instead of dereferencing it unchecked.

Database specific

{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/38xxx/CVE-2025-38665.json",
    "cna_assigner": "Linux"
}

References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type: GIT
Repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events: Introduced

39549eef3587f1c1e8c65c88a2400d10fd30ea17

Fixed

6bbcf37c5114926c99a1d1e6993a5b35689d2599

Fixed

cf81a60a973358dea163f6b14062f17831ceb894

Fixed

0ca816a96fdcf32644c80cbe7a82c7b6ce6ddda5

Fixed

6acceb46180f9e160d4f0c56fcaf39ba562822ae

Fixed

c1f3f9797c1f44a762e6f5f72520b2e520537b52

Database specific

source

"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-38665.json"

Linux / Kernel

Package

Name: Kernel

Affected ranges

Type: ECOSYSTEM
Events: Introduced

2.6.31

Fixed

6.1.148

Type: ECOSYSTEM
Events: Introduced

6.2.0

Fixed

6.6.101

Type: ECOSYSTEM
Events: Introduced

6.7.0

Fixed

6.12.41

Type: ECOSYSTEM
Events: Introduced

6.13.0

Fixed

6.15.9

Database specific

source

"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-38665.json"