CVE-2025-38666
- Source
- https://cve.org/CVERecord?id=CVE-2025-38666
- Import Source
- https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-38666.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/CVE-2025-38666
- Downstream
- Published
- 2025-08-22T16:02:58.144Z
- Modified
- 2026-03-20T12:42:57.794046Z
- Summary
- net: appletalk: Fix use-after-free in AARP proxy probe
- Details
-
In the Linux kernel, the following vulnerability has been resolved:
net: appletalk: Fix use-after-free in AARP proxy probe
The AARP proxyâprobe routine (aarpproxyprobenetwork) sends a probe, releases the aarplock, sleeps, then re-acquires the lock. During that window an expire timer thread (__aarpexpiretimer) can remove and kfree() the same entry, leading to a use-after-free.
race condition:
cpu 0 | cpu 1 atalk_sendmsg() | atif_proxy_probe_device() aarp_send_ddp() | aarp_proxy_probe_network() mod_timer() | lock(aarp_lock) // LOCK!! timeout around 200ms | alloc(aarp_entry) and then call | proxies[hash] = aarp_entry aarp_expire_timeout() | aarp_send_probe() | unlock(aarp_lock) // UNLOCK!! lock(aarp_lock) // LOCK!! | msleep(100); __aarp_expire_timer(&proxies[ct]) | free(aarp_entry) | unlock(aarp_lock) // UNLOCK!! | | lock(aarp_lock) // LOCK!! | UAF aarp_entry !!================================================================== BUG: KASAN: slab-use-after-free in aarpproxyprobe_network+0x560/0x630 net/appletalk/aarp.c:493 Read of size 4 at addr ffff8880123aa360 by task repro/13278
CPU: 3 UID: 0 PID: 13278 Comm: repro Not tainted 6.15.2 #3 PREEMPT(full) Call Trace: <TASK> __dumpstack lib/dumpstack.c:94 [inline] dump_stacklvl+0x116/0x1b0 lib/dumpstack.c:120 printaddressdescription mm/kasan/report.c:408 [inline] printreport+0xc1/0x630 mm/kasan/report.c:521 kasanreport+0xca/0x100 mm/kasan/report.c:634 aarpproxyprobenetwork+0x560/0x630 net/appletalk/aarp.c:493 atifproxyprobedevice net/appletalk/ddp.c:332 [inline] atifioctl+0xb58/0x16c0 net/appletalk/ddp.c:857 atalkioctl+0x198/0x2f0 net/appletalk/ddp.c:1818 sockdoioctl+0xdc/0x260 net/socket.c:1190 sockioctl+0x239/0x6a0 net/socket.c:1311 vfsioctl fs/ioctl.c:51 [inline] __dosysioctl fs/ioctl.c:906 [inline] __sesysioctl fs/ioctl.c:892 [inline] __x64sysioctl+0x194/0x200 fs/ioctl.c:892 dosyscallx64 arch/x86/entry/syscall64.c:63 [inline] dosyscall64+0xcb/0x250 arch/x86/entry/syscall64.c:94 entrySYSCALL64afterhwframe+0x77/0x7f </TASK>
Allocated: aarpalloc net/appletalk/aarp.c:382 [inline] aarpproxyprobenetwork+0xd8/0x630 net/appletalk/aarp.c:468 atifproxyprobedevice net/appletalk/ddp.c:332 [inline] atifioctl+0xb58/0x16c0 net/appletalk/ddp.c:857 atalk_ioctl+0x198/0x2f0 net/appletalk/ddp.c:1818
Freed: kfree+0x148/0x4d0 mm/slub.c:4841 __aarp_expire net/appletalk/aarp.c:90 [inline] __aarpexpiretimer net/appletalk/aarp.c:261 [inline] aarpexpiretimeout+0x480/0x6e0 net/appletalk/aarp.c:317
The buggy address belongs to the object at ffff8880123aa300 which belongs to the cache kmalloc-192 of size 192 The buggy address is located 96 bytes inside of freed 192-byte region [ffff8880123aa300, ffff8880123aa3c0)
Memory state around the buggy address: ffff8880123aa200: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ffff8880123aa280: 00 00 00 00 fc fc fc fc fc fc fc fc fc fc fc fc
ffff8880123aa300: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff8880123aa380: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
ffff8880123aa400: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
- Database specific
{ "cna_assigner": "Linux", "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/38xxx/CVE-2025-38666.json" }- References
-
- https://git.kernel.org/stable/c/186942d19c0222617ef61f50e1dba91e269a5963
- https://git.kernel.org/stable/c/2a6209e4649d45fd85d4193abc481911858ffc6f
- https://git.kernel.org/stable/c/5f02ea0f63dd38c41539ea290fcc1693c73aa8e5
- https://git.kernel.org/stable/c/6c4a92d07b0850342d3becf2e608f805e972467c
- https://git.kernel.org/stable/c/82d19a70ced28b17a38ebf1b6978c6c7db894979
- https://git.kernel.org/stable/c/b35694ffabb2af308a1f725d70f60fd8a47d1f3e
- https://git.kernel.org/stable/c/e4f1564c5b699eb89b3040688fd6b4e57922f1f6
- https://git.kernel.org/stable/c/f90b6bb203f3f38bf2b3d976113d51571df9a482
- https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html
- https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html
- https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/38xxx/CVE-2025-38666.json
- https://nvd.nist.gov/vuln/detail/CVE-2025-38666
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Affected packages
Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Affected ranges
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introduced1da177e4c3f41524e886b7f1b8a0c1fc7321cac2Fixedb35694ffabb2af308a1f725d70f60fd8a47d1f3eFixed82d19a70ced28b17a38ebf1b6978c6c7db894979Fixed186942d19c0222617ef61f50e1dba91e269a5963Fixed2a6209e4649d45fd85d4193abc481911858ffc6fFixede4f1564c5b699eb89b3040688fd6b4e57922f1f6Fixed5f02ea0f63dd38c41539ea290fcc1693c73aa8e5Fixedf90b6bb203f3f38bf2b3d976113d51571df9a482Fixed6c4a92d07b0850342d3becf2e608f805e972467c