CVE-2025-39980

Summary

In the Linux kernel, the following vulnerability has been resolved:

nexthop: Forbid FDB status change while nexthop is in a group

The kernel forbids the creation of non-FDB nexthop groups with FDB nexthops:

ip nexthop add id 1 via 192.0.2.1 fdb

ip nexthop add id 2 group 1

Error: Non FDB nexthop group cannot have fdb nexthops.

And vice versa:

ip nexthop add id 3 via 192.0.2.2 dev dummy1

ip nexthop add id 4 group 3 fdb

Error: FDB nexthop group can only have fdb nexthops.

However, as long as no routes are pointing to a non-FDB nexthop group, the kernel allows changing the type of a nexthop from FDB to non-FDB and vice versa:

ip nexthop add id 5 via 192.0.2.2 dev dummy1

ip nexthop add id 6 group 5

ip nexthop replace id 5 via 192.0.2.2 fdb

echo $?

0

This configuration is invalid and can result in a NPD [1] since FDB nexthops are not associated with a nexthop device:

ip route add 198.51.100.1/32 nhid 6

ping 198.51.100.1

Fix by preventing nexthop FDB status change while the nexthop is in a group:

ip nexthop add id 7 via 192.0.2.2 dev dummy1

ip nexthop add id 8 group 7

ip nexthop replace id 7 via 192.0.2.2 fdb

Error: Cannot change nexthop FDB status while in a group.

[1] BUG: kernel NULL pointer dereference, address: 00000000000003c0 […] Oops: Oops: 0000 [#1] SMP CPU: 6 UID: 0 PID: 367 Comm: ping Not tainted 6.17.0-rc6-virtme-gb65678cacc03 #1 PREEMPT(voluntary) Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.17.0-4.fc41 04/01/2014 RIP: 0010:fib_lookup_good_nhc+0x1e/0x80 […] Call Trace: <TASK> fib_table_lookup+0x541/0x650 ip_route_output_key_hash_rcu+0x2ea/0x970 ip_route_output_key_hash+0x55/0x80 __ip4_datagram_connect+0x250/0x330 udp_connect+0x2b/0x60 __sys_connect+0x9c/0xd0 __x64_sys_connect+0x18/0x20 do_syscall_64+0xa4/0x2a0 entry_SYSCALL_64_after_hwframe+0x4b/0x53

Affected Software

VendorProductVersion RangeStatus
LinuxLinux38428d68719c454d269cb03b776d8a4b0ad66111 < e1e87ac0daacd51f522ecd1645cd76b5809303edaffected
LinuxLinux38428d68719c454d269cb03b776d8a4b0ad66111 < 0e7bfe7a268ccbd7859730c529161cafbf44637caffected
LinuxLinux38428d68719c454d269cb03b776d8a4b0ad66111 < ec428fff792b7bd15b248dafca2e654b666b1304affected
LinuxLinux38428d68719c454d269cb03b776d8a4b0ad66111 < 24046d31f6f92220852d393d510b6062843e3fbdaffected
LinuxLinux38428d68719c454d269cb03b776d8a4b0ad66111 < f0e49fd13afe9dea7a09a1c9537fd00cea22badbaffected
LinuxLinux38428d68719c454d269cb03b776d8a4b0ad66111 < 8dd4aa0122885f710930de135af2adc4ccc3238faffected
LinuxLinux38428d68719c454d269cb03b776d8a4b0ad66111 < 390b3a300d7872cef9588f003b204398be69ce08affected
LinuxLinux5.8affected
LinuxLinux0 < 5.8unaffected
LinuxLinux5.10.245 <= 5.10.*unaffected
LinuxLinux5.15.194 <= 5.15.*unaffected
LinuxLinux6.1.155 <= 6.1.*unaffected
LinuxLinux6.6.109 <= 6.6.*unaffected
LinuxLinux6.12.50 <= 6.12.*unaffected
LinuxLinux6.16.10 <= 6.16.*unaffected
LinuxLinux6.17 <= *unaffected

Weaknesses

References