OESA-2025-2005

The Linux Kernel, the operating system core itself.

Security Fix(es):

In the Linux kernel, the following vulnerability has been resolved:

vlan: enforce underlying device type

Currently, VLAN devices can be created on top of non-ethernet devices.

Besides the fact that it doesn't make much sense, this also causes a bug which leaks the address of a kernel function to usermode.

When creating a VLAN device, we initialize GARP (garpinitapplicant) and MRP (mrpinitapplicant) for the underlying device.

As part of the initialization process, we add the multicast address of each applicant to the underlying device, by calling devmcadd.

_devmcadd uses dev->addrlen to determine the length of the new multicast address.

This causes an out-of-bounds read if dev->addr_len is greater than 6, since the multicast addresses provided by GARP and MRP are only 6 bytes long.

This behaviour can be reproduced using the following commands:

ip tunnel add gretest mode ip6gre local ::1 remote ::2 dev lo ip l set up dev gretest ip link add link gretest name vlantest type vlan id 100

Then, the following command will display the address of garppdurcv:

ip maddr show | grep 01:80:c2:00:00:21

Fix the bug by enforcing the type of the underlying device during VLAN device initialization.(CVE-2025-21920)

In the Linux kernel, the following vulnerability has been resolved:

net: gso: fix ownership in _udpgso_segment

In _udpgso_segment the skb destructor is removed before segmenting the skb but the socket reference is kept as-is. This is an issue if the original skb is later orphaned as we can hit the following bug:

kernel BUG at ./include/linux/skbuff.h:3312! (skborphan) RIP: 0010:iprcvcore+0x8b2/0xca0 Call Trace: iprcv+0xab/0x6e0 _netifreceiveskbonecore+0x168/0x1b0 processbacklog+0x384/0x1100 _napipoll.constprop.0+0xa1/0x370 netrxaction+0x925/0xe50

The above can happen following a sequence of events when using OpenVSwitch, when an OVSACTIONATTRUSERSPACE action precedes an OVSACTIONATTROUTPUT action:

1. OVSACTIONATTRUSERSPACE is handled (in doexecuteactions): the skb goes through queuegsopackets and then _udpgsosegment, where its destructor is removed.
2. The segments' data are copied and sent to userspace.
3. OVSACTIONATTROUTPUT is handled (in doexecute_actions) and the same original skb is sent to its path.
4. If it later hits skb_orphan, we hit the bug.

Fix this by also removing the reference to the socket in _udpgso_segment.(CVE-2025-21926)

In the Linux kernel, the following vulnerability has been resolved:

net: atm: fix use after free in lec_send()

The ->send() operation frees skb so save the length before calling ->send() to avoid a use after free.(CVE-2025-22004)

In the Linux kernel, the following vulnerability has been resolved:

posix-cpu-timers: fix race between handleposixcputimers() and posixcputimerdel()

If an exiting non-autoreaping task has already passed exitnotify() and calls handleposixcputimers() from IRQ, it can be reaped by its parent or debugger right after unlocktasksighand().

If a concurrent posixcputimerdel() runs at that moment, it won't be able to detect timer->it.cpu.firing != 0: cputimertaskrcu() and/or locktasksighand() will fail.

Add the tsk->exitstate check into runposixcputimers() to fix this.

This fix is not needed if CONFIGPOSIXCPUTIMERSTASKWORK=y, because exittaskwork() is called before exitnotify(). But the check still makes sense, taskworkadd(&tsk->posixcputimerswork.work) will fail anyway in this case.(CVE-2025-38352)