CVE-2025-39827
N/A
Summary
In the Linux kernel, the following vulnerability has been resolved:
net: rose: include node references in rose_neigh refcount
Current implementation maintains two separate reference counting mechanisms: the 'count' field in struct rose_neigh tracks references from rose_node structures, while the 'use' field (now refcount_t) tracks references from rose_sock.
This patch merges these two reference counting systems using 'use' field for proper reference management. Specifically, this patch adds incrementing and decrementing of rose_neigh->use when rose_neigh->count is incremented or decremented.
This patch also modifies rose_rt_free(), rose_rt_device_down() and rose_clear_route() to properly release references to rose_neigh objects before freeing a rose_node through rose_remove_node().
These changes ensure rose_neigh structures are properly freed only when all references, including those from rose_node structures, are released. As a result, this resolves a slab-use-after-free issue reported by Syzbot.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Linux | Linux | 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 < 4cce478c3e82a5fc788d72adb2f4c4e983997639 | affected |
| Linux | Linux | 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 < 9c547c8eee9d1cf6e744611d688b9f725cf9a115 | affected |
| Linux | Linux | 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 < d7563b456ed44151e1a82091d96f60166daea89b | affected |
| Linux | Linux | 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 < 384210cceb1873a4c8218b27ba0745444436b728 | affected |
| Linux | Linux | 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 < da9c9c877597170b929a6121a68dcd3dd9a80f45 | affected |
| Linux | Linux | 2.6.12 | affected |
| Linux | Linux | 0 < 2.6.12 | unaffected |
| Linux | Linux | 6.1.150 <= 6.1.* | unaffected |
| Linux | Linux | 6.6.104 <= 6.6.* | unaffected |
| Linux | Linux | 6.12.45 <= 6.12.* | unaffected |
| Linux | Linux | 6.16.5 <= 6.16.* | unaffected |
| Linux | Linux | 6.17 <= * | unaffected |
Weaknesses
ADP Enrichment
CVE Program Container
Additional References
Additional References
References
- https://git.kernel.org/stable/c/4cce478c3e82a5fc788d72adb2f4c4e983997639
- https://git.kernel.org/stable/c/9c547c8eee9d1cf6e744611d688b9f725cf9a115
- https://git.kernel.org/stable/c/d7563b456ed44151e1a82091d96f60166daea89b
- https://git.kernel.org/stable/c/384210cceb1873a4c8218b27ba0745444436b728
- https://git.kernel.org/stable/c/da9c9c877597170b929a6121a68dcd3dd9a80f45
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.