certfr_avis - certfr-2025-avi-1107

CERTFR-2025-AVI-1107

Vulnerability from certfr_avis - Published: 2025-12-12 - Updated: 2025-12-12

De multiples vulnérabilités ont été découvertes dans le noyau Linux de SUSE. Elles permettent à un attaquant de provoquer un déni de service et un problème de sécurité non spécifié par l'éditeur.

Solutions

Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).

Impacted products

	Vendor	Product	Description
	SUSE	N/A	SUSE Linux Micro 6.1
	SUSE	N/A	SUSE Linux Micro 6.0

References

Title

Publication Time

Tags

Bulletin de sécurité SUSE SUSE-SU-2025:21103-1	2025-11-28	vendor-advisory
Bulletin de sécurité SUSE SUSE-SU-2025:21095-1	2025-11-28	vendor-advisory
Bulletin de sécurité SUSE SUSE-SU-2025:21100-1	2025-11-28	vendor-advisory
Bulletin de sécurité SUSE SUSE-SU-2025:21115-1	2025-11-28	vendor-advisory
Bulletin de sécurité SUSE SUSE-SU-2025:21096-1	2025-11-28	vendor-advisory
Bulletin de sécurité SUSE SUSE-SU-2025:21124-1	2025-11-28	vendor-advisory
Bulletin de sécurité SUSE SUSE-SU-2025:21093-1	2025-11-28	vendor-advisory
Bulletin de sécurité SUSE SUSE-SU-2025:21098-1	2025-11-28	vendor-advisory
Bulletin de sécurité SUSE SUSE-SU-2025:21102-1	2025-11-28	vendor-advisory
Bulletin de sécurité SUSE SUSE-SU-2025:21122-1	2025-11-28	vendor-advisory
Bulletin de sécurité SUSE SUSE-SU-2025:21114-1	2025-11-28	vendor-advisory
Bulletin de sécurité SUSE SUSE-SU-2025:21123-1	2025-11-28	vendor-advisory
Bulletin de sécurité SUSE SUSE-SU-2025:21094-1	2025-11-28	vendor-advisory
Bulletin de sécurité SUSE SUSE-SU-2025:21092-1	2025-11-28	vendor-advisory
Bulletin de sécurité SUSE SUSE-SU-2025:21104-1	2025-11-28	vendor-advisory
Bulletin de sécurité SUSE SUSE-SU-2025:21101-1	2025-11-28	vendor-advisory
Bulletin de sécurité SUSE SUSE-SU-2025:21099-1	2025-11-28	vendor-advisory
Bulletin de sécurité SUSE SUSE-SU-2025:21097-1	2025-11-28	vendor-advisory
Bulletin de sécurité SUSE SUSE-SU-2025:21113-1	2025-11-28	vendor-advisory

Show details on source website

JSON

To clipboard

{
  "$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
  "affected_systems": [
    {
      "description": "SUSE Linux Micro 6.1",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "SUSE",
          "scada": false
        }
      }
    },
    {
      "description": "SUSE Linux Micro 6.0",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "SUSE",
          "scada": false
        }
      }
    }
  ],
  "affected_systems_content": "",
  "content": "## Solutions\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des correctifs (cf. section Documentation).",
  "cves": [
    {
      "name": "CVE-2025-38500",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-38500"
    },
    {
      "name": "CVE-2025-38616",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-38616"
    },
    {
      "name": "CVE-2025-23145",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-23145"
    },
    {
      "name": "CVE-2024-53141",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-53141"
    }
  ],
  "initial_release_date": "2025-12-12T00:00:00",
  "last_revision_date": "2025-12-12T00:00:00",
  "links": [],
  "reference": "CERTFR-2025-AVI-1107",
  "revisions": [
    {
      "description": "Version initiale",
      "revision_date": "2025-12-12T00:00:00.000000"
    }
  ],
  "risks": [
    {
      "description": "Non sp\u00e9cifi\u00e9 par l\u0027\u00e9diteur"
    },
    {
      "description": "D\u00e9ni de service"
    }
  ],
  "summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans le noyau Linux de SUSE. Elles permettent \u00e0 un attaquant de provoquer un d\u00e9ni de service et un probl\u00e8me de s\u00e9curit\u00e9 non sp\u00e9cifi\u00e9 par l\u0027\u00e9diteur.",
  "title": "Multiples vuln\u00e9rabilit\u00e9s dans le noyau Linux de SUSE",
  "vendor_advisories": [
    {
      "published_at": "2025-11-28",
      "title": "Bulletin de s\u00e9curit\u00e9 SUSE SUSE-SU-2025:21103-1",
      "url": "https://www.suse.com/support/update/announcement/2025/suse-su-202521103-1"
    },
    {
      "published_at": "2025-11-28",
      "title": "Bulletin de s\u00e9curit\u00e9 SUSE SUSE-SU-2025:21095-1",
      "url": "https://www.suse.com/support/update/announcement/2025/suse-su-202521095-1"
    },
    {
      "published_at": "2025-11-28",
      "title": "Bulletin de s\u00e9curit\u00e9 SUSE SUSE-SU-2025:21100-1",
      "url": "https://www.suse.com/support/update/announcement/2025/suse-su-202521100-1"
    },
    {
      "published_at": "2025-11-28",
      "title": "Bulletin de s\u00e9curit\u00e9 SUSE SUSE-SU-2025:21115-1",
      "url": "https://www.suse.com/support/update/announcement/2025/suse-su-202521115-1"
    },
    {
      "published_at": "2025-11-28",
      "title": "Bulletin de s\u00e9curit\u00e9 SUSE SUSE-SU-2025:21096-1",
      "url": "https://www.suse.com/support/update/announcement/2025/suse-su-202521096-1"
    },
    {
      "published_at": "2025-11-28",
      "title": "Bulletin de s\u00e9curit\u00e9 SUSE SUSE-SU-2025:21124-1",
      "url": "https://www.suse.com/support/update/announcement/2025/suse-su-202521124-1"
    },
    {
      "published_at": "2025-11-28",
      "title": "Bulletin de s\u00e9curit\u00e9 SUSE SUSE-SU-2025:21093-1",
      "url": "https://www.suse.com/support/update/announcement/2025/suse-su-202521093-1"
    },
    {
      "published_at": "2025-11-28",
      "title": "Bulletin de s\u00e9curit\u00e9 SUSE SUSE-SU-2025:21098-1",
      "url": "https://www.suse.com/support/update/announcement/2025/suse-su-202521098-1"
    },
    {
      "published_at": "2025-11-28",
      "title": "Bulletin de s\u00e9curit\u00e9 SUSE SUSE-SU-2025:21102-1",
      "url": "https://www.suse.com/support/update/announcement/2025/suse-su-202521102-1"
    },
    {
      "published_at": "2025-11-28",
      "title": "Bulletin de s\u00e9curit\u00e9 SUSE SUSE-SU-2025:21122-1",
      "url": "https://www.suse.com/support/update/announcement/2025/suse-su-202521122-1"
    },
    {
      "published_at": "2025-11-28",
      "title": "Bulletin de s\u00e9curit\u00e9 SUSE SUSE-SU-2025:21114-1",
      "url": "https://www.suse.com/support/update/announcement/2025/suse-su-202521114-1"
    },
    {
      "published_at": "2025-11-28",
      "title": "Bulletin de s\u00e9curit\u00e9 SUSE SUSE-SU-2025:21123-1",
      "url": "https://www.suse.com/support/update/announcement/2025/suse-su-202521123-1"
    },
    {
      "published_at": "2025-11-28",
      "title": "Bulletin de s\u00e9curit\u00e9 SUSE SUSE-SU-2025:21094-1",
      "url": "https://www.suse.com/support/update/announcement/2025/suse-su-202521094-1"
    },
    {
      "published_at": "2025-11-28",
      "title": "Bulletin de s\u00e9curit\u00e9 SUSE SUSE-SU-2025:21092-1",
      "url": "https://www.suse.com/support/update/announcement/2025/suse-su-202521092-1"
    },
    {
      "published_at": "2025-11-28",
      "title": "Bulletin de s\u00e9curit\u00e9 SUSE SUSE-SU-2025:21104-1",
      "url": "https://www.suse.com/support/update/announcement/2025/suse-su-202521104-1"
    },
    {
      "published_at": "2025-11-28",
      "title": "Bulletin de s\u00e9curit\u00e9 SUSE SUSE-SU-2025:21101-1",
      "url": "https://www.suse.com/support/update/announcement/2025/suse-su-202521101-1"
    },
    {
      "published_at": "2025-11-28",
      "title": "Bulletin de s\u00e9curit\u00e9 SUSE SUSE-SU-2025:21099-1",
      "url": "https://www.suse.com/support/update/announcement/2025/suse-su-202521099-1"
    },
    {
      "published_at": "2025-11-28",
      "title": "Bulletin de s\u00e9curit\u00e9 SUSE SUSE-SU-2025:21097-1",
      "url": "https://www.suse.com/support/update/announcement/2025/suse-su-202521097-1"
    },
    {
      "published_at": "2025-11-28",
      "title": "Bulletin de s\u00e9curit\u00e9 SUSE SUSE-SU-2025:21113-1",
      "url": "https://www.suse.com/support/update/announcement/2025/suse-su-202521113-1"
    }
  ]
}

CVE-2025-23145 (GCVE-0-2025-23145)

Vulnerability from cvelistv5 – Published: 2025-05-01 12:55 – Updated: 2025-11-03 19:42

Title

mptcp: fix NULL pointer in can_accept_new_subflow

Summary

In the Linux kernel, the following vulnerability has been resolved: mptcp: fix NULL pointer in can_accept_new_subflow When testing valkey benchmark tool with MPTCP, the kernel panics in 'mptcp_can_accept_new_subflow' because subflow_req->msk is NULL. Call trace: mptcp_can_accept_new_subflow (./net/mptcp/subflow.c:63 (discriminator 4)) (P) subflow_syn_recv_sock (./net/mptcp/subflow.c:854) tcp_check_req (./net/ipv4/tcp_minisocks.c:863) tcp_v4_rcv (./net/ipv4/tcp_ipv4.c:2268) ip_protocol_deliver_rcu (./net/ipv4/ip_input.c:207) ip_local_deliver_finish (./net/ipv4/ip_input.c:234) ip_local_deliver (./net/ipv4/ip_input.c:254) ip_rcv_finish (./net/ipv4/ip_input.c:449) ... According to the debug log, the same req received two SYN-ACK in a very short time, very likely because the client retransmits the syn ack due to multiple reasons. Even if the packets are transmitted with a relevant time interval, they can be processed by the server on different CPUs concurrently). The 'subflow_req->msk' ownership is transferred to the subflow the first, and there will be a risk of a null pointer dereference here. This patch fixes this issue by moving the 'subflow_req->msk' under the `own_req == true` conditional. Note that the !msk check in subflow_hmac_valid() can be dropped, because the same check already exists under the own_req mpj branch where the code has been moved to.

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/8cf7fef1bb2ffea77…
	https://git.kernel.org/stable/c/b3088bd2a6790c8ef…
	https://git.kernel.org/stable/c/855bf0aacd51fced1…
	https://git.kernel.org/stable/c/7f9ae060ed64aef8f…
	https://git.kernel.org/stable/c/dc81e41a307df5230…
	https://git.kernel.org/stable/c/efd58a8dd9e7a709a…
	https://git.kernel.org/stable/c/4b2649b9717678aeb…
	https://git.kernel.org/stable/c/443041deb5ef6a128…

Impacted products

Vendor

Product

Version

Linux

Affected: 9466a1ccebbe54ac57fb8a89c2b4b854826546a8 , < 8cf7fef1bb2ffea7792bcbf71ca00216cecc725d (git)
Affected: 9466a1ccebbe54ac57fb8a89c2b4b854826546a8 , < b3088bd2a6790c8efff139d86d7a9d0b1305977b (git)
Affected: 9466a1ccebbe54ac57fb8a89c2b4b854826546a8 , < 855bf0aacd51fced11ea9aa0d5101ee0febaeadb (git)
Affected: 9466a1ccebbe54ac57fb8a89c2b4b854826546a8 , < 7f9ae060ed64aef8f174c5f1ea513825b1be9af1 (git)
Affected: 9466a1ccebbe54ac57fb8a89c2b4b854826546a8 , < dc81e41a307df523072186b241fa8244fecd7803 (git)
Affected: 9466a1ccebbe54ac57fb8a89c2b4b854826546a8 , < efd58a8dd9e7a709a90ee486a4247c923d27296f (git)
Affected: 9466a1ccebbe54ac57fb8a89c2b4b854826546a8 , < 4b2649b9717678aeb097893cc49f59311a1ecab0 (git)
Affected: 9466a1ccebbe54ac57fb8a89c2b4b854826546a8 , < 443041deb5ef6a1289a99ed95015ec7442f141dc (git)

Linux

Affected: 5.9
Unaffected: 0 , < 5.9 (semver)
Unaffected: 5.10.237 , ≤ 5.10.* (semver)
Unaffected: 5.15.181 , ≤ 5.15.* (semver)
Unaffected: 6.1.135 , ≤ 6.1.* (semver)
Unaffected: 6.6.88 , ≤ 6.6.* (semver)
Unaffected: 6.12.24 , ≤ 6.12.* (semver)
Unaffected: 6.13.12 , ≤ 6.13.* (semver)
Unaffected: 6.14.3 , ≤ 6.14.* (semver)
Unaffected: 6.15 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T19:42:35.316Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00045.html"
          },
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00030.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "net/mptcp/subflow.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "8cf7fef1bb2ffea7792bcbf71ca00216cecc725d",
              "status": "affected",
              "version": "9466a1ccebbe54ac57fb8a89c2b4b854826546a8",
              "versionType": "git"
            },
            {
              "lessThan": "b3088bd2a6790c8efff139d86d7a9d0b1305977b",
              "status": "affected",
              "version": "9466a1ccebbe54ac57fb8a89c2b4b854826546a8",
              "versionType": "git"
            },
            {
              "lessThan": "855bf0aacd51fced11ea9aa0d5101ee0febaeadb",
              "status": "affected",
              "version": "9466a1ccebbe54ac57fb8a89c2b4b854826546a8",
              "versionType": "git"
            },
            {
              "lessThan": "7f9ae060ed64aef8f174c5f1ea513825b1be9af1",
              "status": "affected",
              "version": "9466a1ccebbe54ac57fb8a89c2b4b854826546a8",
              "versionType": "git"
            },
            {
              "lessThan": "dc81e41a307df523072186b241fa8244fecd7803",
              "status": "affected",
              "version": "9466a1ccebbe54ac57fb8a89c2b4b854826546a8",
              "versionType": "git"
            },
            {
              "lessThan": "efd58a8dd9e7a709a90ee486a4247c923d27296f",
              "status": "affected",
              "version": "9466a1ccebbe54ac57fb8a89c2b4b854826546a8",
              "versionType": "git"
            },
            {
              "lessThan": "4b2649b9717678aeb097893cc49f59311a1ecab0",
              "status": "affected",
              "version": "9466a1ccebbe54ac57fb8a89c2b4b854826546a8",
              "versionType": "git"
            },
            {
              "lessThan": "443041deb5ef6a1289a99ed95015ec7442f141dc",
              "status": "affected",
              "version": "9466a1ccebbe54ac57fb8a89c2b4b854826546a8",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "net/mptcp/subflow.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.9"
            },
            {
              "lessThan": "5.9",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.237",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.181",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.135",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.88",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.24",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.13.*",
              "status": "unaffected",
              "version": "6.13.12",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.14.*",
              "status": "unaffected",
              "version": "6.14.3",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.15",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.237",
                  "versionStartIncluding": "5.9",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.181",
                  "versionStartIncluding": "5.9",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.135",
                  "versionStartIncluding": "5.9",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.88",
                  "versionStartIncluding": "5.9",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.24",
                  "versionStartIncluding": "5.9",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13.12",
                  "versionStartIncluding": "5.9",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14.3",
                  "versionStartIncluding": "5.9",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15",
                  "versionStartIncluding": "5.9",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmptcp: fix NULL pointer in can_accept_new_subflow\n\nWhen testing valkey benchmark tool with MPTCP, the kernel panics in\n\u0027mptcp_can_accept_new_subflow\u0027 because subflow_req-\u003emsk is NULL.\n\nCall trace:\n\n  mptcp_can_accept_new_subflow (./net/mptcp/subflow.c:63 (discriminator 4)) (P)\n  subflow_syn_recv_sock (./net/mptcp/subflow.c:854)\n  tcp_check_req (./net/ipv4/tcp_minisocks.c:863)\n  tcp_v4_rcv (./net/ipv4/tcp_ipv4.c:2268)\n  ip_protocol_deliver_rcu (./net/ipv4/ip_input.c:207)\n  ip_local_deliver_finish (./net/ipv4/ip_input.c:234)\n  ip_local_deliver (./net/ipv4/ip_input.c:254)\n  ip_rcv_finish (./net/ipv4/ip_input.c:449)\n  ...\n\nAccording to the debug log, the same req received two SYN-ACK in a very\nshort time, very likely because the client retransmits the syn ack due\nto multiple reasons.\n\nEven if the packets are transmitted with a relevant time interval, they\ncan be processed by the server on different CPUs concurrently). The\n\u0027subflow_req-\u003emsk\u0027 ownership is transferred to the subflow the first,\nand there will be a risk of a null pointer dereference here.\n\nThis patch fixes this issue by moving the \u0027subflow_req-\u003emsk\u0027 under the\n`own_req == true` conditional.\n\nNote that the !msk check in subflow_hmac_valid() can be dropped, because\nthe same check already exists under the own_req mpj branch where the\ncode has been moved to."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-26T05:19:25.316Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/8cf7fef1bb2ffea7792bcbf71ca00216cecc725d"
        },
        {
          "url": "https://git.kernel.org/stable/c/b3088bd2a6790c8efff139d86d7a9d0b1305977b"
        },
        {
          "url": "https://git.kernel.org/stable/c/855bf0aacd51fced11ea9aa0d5101ee0febaeadb"
        },
        {
          "url": "https://git.kernel.org/stable/c/7f9ae060ed64aef8f174c5f1ea513825b1be9af1"
        },
        {
          "url": "https://git.kernel.org/stable/c/dc81e41a307df523072186b241fa8244fecd7803"
        },
        {
          "url": "https://git.kernel.org/stable/c/efd58a8dd9e7a709a90ee486a4247c923d27296f"
        },
        {
          "url": "https://git.kernel.org/stable/c/4b2649b9717678aeb097893cc49f59311a1ecab0"
        },
        {
          "url": "https://git.kernel.org/stable/c/443041deb5ef6a1289a99ed95015ec7442f141dc"
        }
      ],
      "title": "mptcp: fix NULL pointer in can_accept_new_subflow",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-23145",
    "datePublished": "2025-05-01T12:55:34.622Z",
    "dateReserved": "2025-01-11T14:28:41.512Z",
    "dateUpdated": "2025-11-03T19:42:35.316Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-38616 (GCVE-0-2025-38616)

Vulnerability from cvelistv5 – Published: 2025-08-22 13:01 – Updated: 2025-09-29 05:54

Title

tls: handle data disappearing from under the TLS ULP

Summary

In the Linux kernel, the following vulnerability has been resolved: tls: handle data disappearing from under the TLS ULP TLS expects that it owns the receive queue of the TCP socket. This cannot be guaranteed in case the reader of the TCP socket entered before the TLS ULP was installed, or uses some non-standard read API (eg. zerocopy ones). Replace the WARN_ON() and a buggy early exit (which leaves anchor pointing to a freed skb) with real error handling. Wipe the parsing state and tell the reader to retry. We already reload the anchor every time we (re)acquire the socket lock, so the only condition we need to avoid is an out of bounds read (not having enough bytes in the socket for previously parsed record len). If some data was read from under TLS but there's enough in the queue we'll reload and decrypt what is most likely not a valid TLS record. Leading to some undefined behavior from TLS perspective (corrupting a stream? missing an alert? missing an attack?) but no kernel crash should take place.

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/f1fe99919f629f980…
	https://git.kernel.org/stable/c/eb0336f213fe88bbd…
	https://git.kernel.org/stable/c/db3658a12d5ec4db7…
	https://git.kernel.org/stable/c/2fb97ed9e2672b4f6…
	https://git.kernel.org/stable/c/6db015fc4b5d5f63a…

Impacted products

Vendor

Product

Version

Linux

Affected: 84c61fe1a75b4255df1e1e7c054c9e6d048da417 , < f1fe99919f629f980d0b8a7ff16950bffe06a859 (git)
Affected: 84c61fe1a75b4255df1e1e7c054c9e6d048da417 , < eb0336f213fe88bbdb7d2b19c9c9ec19245a3155 (git)
Affected: 84c61fe1a75b4255df1e1e7c054c9e6d048da417 , < db3658a12d5ec4db7185ae7476151a50521b7207 (git)
Affected: 84c61fe1a75b4255df1e1e7c054c9e6d048da417 , < 2fb97ed9e2672b4f6e24ce206ac1a875ce4bcb38 (git)
Affected: 84c61fe1a75b4255df1e1e7c054c9e6d048da417 , < 6db015fc4b5d5f63a64a193f65d98da3a7fc811d (git)

Linux

Affected: 6.0
Unaffected: 0 , < 6.0 (semver)
Unaffected: 6.6.103 , ≤ 6.6.* (semver)
Unaffected: 6.12.43 , ≤ 6.12.* (semver)
Unaffected: 6.15.11 , ≤ 6.15.* (semver)
Unaffected: 6.16.2 , ≤ 6.16.* (semver)
Unaffected: 6.17 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "net/tls/tls.h",
            "net/tls/tls_strp.c",
            "net/tls/tls_sw.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "f1fe99919f629f980d0b8a7ff16950bffe06a859",
              "status": "affected",
              "version": "84c61fe1a75b4255df1e1e7c054c9e6d048da417",
              "versionType": "git"
            },
            {
              "lessThan": "eb0336f213fe88bbdb7d2b19c9c9ec19245a3155",
              "status": "affected",
              "version": "84c61fe1a75b4255df1e1e7c054c9e6d048da417",
              "versionType": "git"
            },
            {
              "lessThan": "db3658a12d5ec4db7185ae7476151a50521b7207",
              "status": "affected",
              "version": "84c61fe1a75b4255df1e1e7c054c9e6d048da417",
              "versionType": "git"
            },
            {
              "lessThan": "2fb97ed9e2672b4f6e24ce206ac1a875ce4bcb38",
              "status": "affected",
              "version": "84c61fe1a75b4255df1e1e7c054c9e6d048da417",
              "versionType": "git"
            },
            {
              "lessThan": "6db015fc4b5d5f63a64a193f65d98da3a7fc811d",
              "status": "affected",
              "version": "84c61fe1a75b4255df1e1e7c054c9e6d048da417",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "net/tls/tls.h",
            "net/tls/tls_strp.c",
            "net/tls/tls_sw.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.0"
            },
            {
              "lessThan": "6.0",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.103",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.43",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.15.*",
              "status": "unaffected",
              "version": "6.15.11",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.16.*",
              "status": "unaffected",
              "version": "6.16.2",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.17",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.103",
                  "versionStartIncluding": "6.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.43",
                  "versionStartIncluding": "6.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15.11",
                  "versionStartIncluding": "6.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.16.2",
                  "versionStartIncluding": "6.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.17",
                  "versionStartIncluding": "6.0",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ntls: handle data disappearing from under the TLS ULP\n\nTLS expects that it owns the receive queue of the TCP socket.\nThis cannot be guaranteed in case the reader of the TCP socket\nentered before the TLS ULP was installed, or uses some non-standard\nread API (eg. zerocopy ones). Replace the WARN_ON() and a buggy\nearly exit (which leaves anchor pointing to a freed skb) with real\nerror handling. Wipe the parsing state and tell the reader to retry.\n\nWe already reload the anchor every time we (re)acquire the socket lock,\nso the only condition we need to avoid is an out of bounds read\n(not having enough bytes in the socket for previously parsed record len).\n\nIf some data was read from under TLS but there\u0027s enough in the queue\nwe\u0027ll reload and decrypt what is most likely not a valid TLS record.\nLeading to some undefined behavior from TLS perspective (corrupting\na stream? missing an alert? missing an attack?) but no kernel crash\nshould take place."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-09-29T05:54:51.143Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/f1fe99919f629f980d0b8a7ff16950bffe06a859"
        },
        {
          "url": "https://git.kernel.org/stable/c/eb0336f213fe88bbdb7d2b19c9c9ec19245a3155"
        },
        {
          "url": "https://git.kernel.org/stable/c/db3658a12d5ec4db7185ae7476151a50521b7207"
        },
        {
          "url": "https://git.kernel.org/stable/c/2fb97ed9e2672b4f6e24ce206ac1a875ce4bcb38"
        },
        {
          "url": "https://git.kernel.org/stable/c/6db015fc4b5d5f63a64a193f65d98da3a7fc811d"
        }
      ],
      "title": "tls: handle data disappearing from under the TLS ULP",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-38616",
    "datePublished": "2025-08-22T13:01:23.217Z",
    "dateReserved": "2025-04-16T04:51:24.029Z",
    "dateUpdated": "2025-09-29T05:54:51.143Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-38500 (GCVE-0-2025-38500)

Vulnerability from cvelistv5 – Published: 2025-08-12 16:02 – Updated: 2025-11-03 17:39

Title

xfrm: interface: fix use-after-free after changing collect_md xfrm interface

Summary

In the Linux kernel, the following vulnerability has been resolved: xfrm: interface: fix use-after-free after changing collect_md xfrm interface collect_md property on xfrm interfaces can only be set on device creation, thus xfrmi_changelink() should fail when called on such interfaces. The check to enforce this was done only in the case where the xi was returned from xfrmi_locate() which doesn't look for the collect_md interface, and thus the validation was never reached. Calling changelink would thus errornously place the special interface xi in the xfrmi_net->xfrmi hash, but since it also exists in the xfrmi_net->collect_md_xfrmi pointer it would lead to a double free when the net namespace was taken down [1]. Change the check to use the xi from netdev_priv which is available earlier in the function to prevent changes in xfrm collect_md interfaces. [1] resulting oops: [ 8.516540] kernel BUG at net/core/dev.c:12029! [ 8.516552] Oops: invalid opcode: 0000 [#1] SMP NOPTI [ 8.516559] CPU: 0 UID: 0 PID: 12 Comm: kworker/u80:0 Not tainted 6.15.0-virtme #5 PREEMPT(voluntary) [ 8.516565] Hardware name: QEMU Ubuntu 24.04 PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 8.516569] Workqueue: netns cleanup_net [ 8.516579] RIP: 0010:unregister_netdevice_many_notify+0x101/0xab0 [ 8.516590] Code: 90 0f 0b 90 48 8b b0 78 01 00 00 48 8b 90 80 01 00 00 48 89 56 08 48 89 32 4c 89 80 78 01 00 00 48 89 b8 80 01 00 00 eb ac 90 <0f> 0b 48 8b 45 00 4c 8d a0 88 fe ff ff 48 39 c5 74 5c 41 80 bc 24 [ 8.516593] RSP: 0018:ffffa93b8006bd30 EFLAGS: 00010206 [ 8.516598] RAX: ffff98fe4226e000 RBX: ffffa93b8006bd58 RCX: ffffa93b8006bc60 [ 8.516601] RDX: 0000000000000004 RSI: 0000000000000000 RDI: dead000000000122 [ 8.516603] RBP: ffffa93b8006bdd8 R08: dead000000000100 R09: ffff98fe4133c100 [ 8.516605] R10: 0000000000000000 R11: 00000000000003d2 R12: ffffa93b8006be00 [ 8.516608] R13: ffffffff96c1a510 R14: ffffffff96c1a510 R15: ffffa93b8006be00 [ 8.516615] FS: 0000000000000000(0000) GS:ffff98fee73b7000(0000) knlGS:0000000000000000 [ 8.516619] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 8.516622] CR2: 00007fcd2abd0700 CR3: 000000003aa40000 CR4: 0000000000752ef0 [ 8.516625] PKRU: 55555554 [ 8.516627] Call Trace: [ 8.516632] <TASK> [ 8.516635] ? rtnl_is_locked+0x15/0x20 [ 8.516641] ? unregister_netdevice_queue+0x29/0xf0 [ 8.516650] ops_undo_list+0x1f2/0x220 [ 8.516659] cleanup_net+0x1ad/0x2e0 [ 8.516664] process_one_work+0x160/0x380 [ 8.516673] worker_thread+0x2aa/0x3c0 [ 8.516679] ? __pfx_worker_thread+0x10/0x10 [ 8.516686] kthread+0xfb/0x200 [ 8.516690] ? __pfx_kthread+0x10/0x10 [ 8.516693] ? __pfx_kthread+0x10/0x10 [ 8.516697] ret_from_fork+0x82/0xf0 [ 8.516705] ? __pfx_kthread+0x10/0x10 [ 8.516709] ret_from_fork_asm+0x1a/0x30 [ 8.516718] </TASK>

Severity ?

7.8 (High)


                        
                          CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE

CWE-416 - Use After Free

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/a8d4748b954584ab7…
	https://git.kernel.org/stable/c/bfebdb85496e1da21…
	https://git.kernel.org/stable/c/5918c3f4800a3aef2…
	https://git.kernel.org/stable/c/69a31f7a6a81f5ffd…
	https://git.kernel.org/stable/c/a90b2a1aaacbcf0f9…

Impacted products

Vendor

Product

Version

Linux

Affected: abc340b38ba25cd6c7aa2c0bd9150d30738c82d0 , < a8d4748b954584ab7bd800f1a4e46d5b0eeb5ce4 (git)
Affected: abc340b38ba25cd6c7aa2c0bd9150d30738c82d0 , < bfebdb85496e1da21d3cf05de099210915c3e706 (git)
Affected: abc340b38ba25cd6c7aa2c0bd9150d30738c82d0 , < 5918c3f4800a3aef2173865e5903370f21e24f47 (git)
Affected: abc340b38ba25cd6c7aa2c0bd9150d30738c82d0 , < 69a31f7a6a81f5ffd3812c442e09ff0be22960f1 (git)
Affected: abc340b38ba25cd6c7aa2c0bd9150d30738c82d0 , < a90b2a1aaacbcf0f91d7e4868ad6c51c5dee814b (git)

Linux

Affected: 6.1
Unaffected: 0 , < 6.1 (semver)
Unaffected: 6.1.148 , ≤ 6.1.* (semver)
Unaffected: 6.6.101 , ≤ 6.6.* (semver)
Unaffected: 6.12.41 , ≤ 6.12.* (semver)
Unaffected: 6.15.9 , ≤ 6.15.* (semver)
Unaffected: 6.16 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "LOCAL",
              "availabilityImpact": "HIGH",
              "baseScore": 7.8,
              "baseSeverity": "HIGH",
              "confidentialityImpact": "HIGH",
              "integrityImpact": "HIGH",
              "privilegesRequired": "LOW",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2025-38500",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-10-01T18:10:59.896187Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-416",
                "description": "CWE-416 Use After Free",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-10-01T18:12:31.018Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T17:39:09.573Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "net/xfrm/xfrm_interface_core.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "a8d4748b954584ab7bd800f1a4e46d5b0eeb5ce4",
              "status": "affected",
              "version": "abc340b38ba25cd6c7aa2c0bd9150d30738c82d0",
              "versionType": "git"
            },
            {
              "lessThan": "bfebdb85496e1da21d3cf05de099210915c3e706",
              "status": "affected",
              "version": "abc340b38ba25cd6c7aa2c0bd9150d30738c82d0",
              "versionType": "git"
            },
            {
              "lessThan": "5918c3f4800a3aef2173865e5903370f21e24f47",
              "status": "affected",
              "version": "abc340b38ba25cd6c7aa2c0bd9150d30738c82d0",
              "versionType": "git"
            },
            {
              "lessThan": "69a31f7a6a81f5ffd3812c442e09ff0be22960f1",
              "status": "affected",
              "version": "abc340b38ba25cd6c7aa2c0bd9150d30738c82d0",
              "versionType": "git"
            },
            {
              "lessThan": "a90b2a1aaacbcf0f91d7e4868ad6c51c5dee814b",
              "status": "affected",
              "version": "abc340b38ba25cd6c7aa2c0bd9150d30738c82d0",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "net/xfrm/xfrm_interface_core.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.1"
            },
            {
              "lessThan": "6.1",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.148",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.101",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.41",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.15.*",
              "status": "unaffected",
              "version": "6.15.9",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.16",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.148",
                  "versionStartIncluding": "6.1",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.101",
                  "versionStartIncluding": "6.1",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.41",
                  "versionStartIncluding": "6.1",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15.9",
                  "versionStartIncluding": "6.1",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.16",
                  "versionStartIncluding": "6.1",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nxfrm: interface: fix use-after-free after changing collect_md xfrm interface\n\ncollect_md property on xfrm interfaces can only be set on device creation,\nthus xfrmi_changelink() should fail when called on such interfaces.\n\nThe check to enforce this was done only in the case where the xi was\nreturned from xfrmi_locate() which doesn\u0027t look for the collect_md\ninterface, and thus the validation was never reached.\n\nCalling changelink would thus errornously place the special interface xi\nin the xfrmi_net-\u003exfrmi hash, but since it also exists in the\nxfrmi_net-\u003ecollect_md_xfrmi pointer it would lead to a double free when\nthe net namespace was taken down [1].\n\nChange the check to use the xi from netdev_priv which is available earlier\nin the function to prevent changes in xfrm collect_md interfaces.\n\n[1] resulting oops:\n[    8.516540] kernel BUG at net/core/dev.c:12029!\n[    8.516552] Oops: invalid opcode: 0000 [#1] SMP NOPTI\n[    8.516559] CPU: 0 UID: 0 PID: 12 Comm: kworker/u80:0 Not tainted 6.15.0-virtme #5 PREEMPT(voluntary)\n[    8.516565] Hardware name: QEMU Ubuntu 24.04 PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014\n[    8.516569] Workqueue: netns cleanup_net\n[    8.516579] RIP: 0010:unregister_netdevice_many_notify+0x101/0xab0\n[    8.516590] Code: 90 0f 0b 90 48 8b b0 78 01 00 00 48 8b 90 80 01 00 00 48 89 56 08 48 89 32 4c 89 80 78 01 00 00 48 89 b8 80 01 00 00 eb ac 90 \u003c0f\u003e 0b 48 8b 45 00 4c 8d a0 88 fe ff ff 48 39 c5 74 5c 41 80 bc 24\n[    8.516593] RSP: 0018:ffffa93b8006bd30 EFLAGS: 00010206\n[    8.516598] RAX: ffff98fe4226e000 RBX: ffffa93b8006bd58 RCX: ffffa93b8006bc60\n[    8.516601] RDX: 0000000000000004 RSI: 0000000000000000 RDI: dead000000000122\n[    8.516603] RBP: ffffa93b8006bdd8 R08: dead000000000100 R09: ffff98fe4133c100\n[    8.516605] R10: 0000000000000000 R11: 00000000000003d2 R12: ffffa93b8006be00\n[    8.516608] R13: ffffffff96c1a510 R14: ffffffff96c1a510 R15: ffffa93b8006be00\n[    8.516615] FS:  0000000000000000(0000) GS:ffff98fee73b7000(0000) knlGS:0000000000000000\n[    8.516619] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[    8.516622] CR2: 00007fcd2abd0700 CR3: 000000003aa40000 CR4: 0000000000752ef0\n[    8.516625] PKRU: 55555554\n[    8.516627] Call Trace:\n[    8.516632]  \u003cTASK\u003e\n[    8.516635]  ? rtnl_is_locked+0x15/0x20\n[    8.516641]  ? unregister_netdevice_queue+0x29/0xf0\n[    8.516650]  ops_undo_list+0x1f2/0x220\n[    8.516659]  cleanup_net+0x1ad/0x2e0\n[    8.516664]  process_one_work+0x160/0x380\n[    8.516673]  worker_thread+0x2aa/0x3c0\n[    8.516679]  ? __pfx_worker_thread+0x10/0x10\n[    8.516686]  kthread+0xfb/0x200\n[    8.516690]  ? __pfx_kthread+0x10/0x10\n[    8.516693]  ? __pfx_kthread+0x10/0x10\n[    8.516697]  ret_from_fork+0x82/0xf0\n[    8.516705]  ? __pfx_kthread+0x10/0x10\n[    8.516709]  ret_from_fork_asm+0x1a/0x30\n[    8.516718]  \u003c/TASK\u003e"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-08-15T15:16:37.105Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/a8d4748b954584ab7bd800f1a4e46d5b0eeb5ce4"
        },
        {
          "url": "https://git.kernel.org/stable/c/bfebdb85496e1da21d3cf05de099210915c3e706"
        },
        {
          "url": "https://git.kernel.org/stable/c/5918c3f4800a3aef2173865e5903370f21e24f47"
        },
        {
          "url": "https://git.kernel.org/stable/c/69a31f7a6a81f5ffd3812c442e09ff0be22960f1"
        },
        {
          "url": "https://git.kernel.org/stable/c/a90b2a1aaacbcf0f91d7e4868ad6c51c5dee814b"
        }
      ],
      "title": "xfrm: interface: fix use-after-free after changing collect_md xfrm interface",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-38500",
    "datePublished": "2025-08-12T16:02:42.363Z",
    "dateReserved": "2025-04-16T04:51:24.022Z",
    "dateUpdated": "2025-11-03T17:39:09.573Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2024-53141 (GCVE-0-2024-53141)

Vulnerability from cvelistv5 – Published: 2024-12-06 09:37 – Updated: 2025-11-03 20:46

Title

netfilter: ipset: add missing range check in bitmap_ip_uadt

Summary

In the Linux kernel, the following vulnerability has been resolved: netfilter: ipset: add missing range check in bitmap_ip_uadt When tb[IPSET_ATTR_IP_TO] is not present but tb[IPSET_ATTR_CIDR] exists, the values of ip and ip_to are slightly swapped. Therefore, the range check for ip should be done later, but this part is missing and it seems that the vulnerability occurs. So we should add missing range checks and remove unnecessary range checks.

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/3c20b5948f119ae61…
	https://git.kernel.org/stable/c/78b0f2028f1043227…
	https://git.kernel.org/stable/c/2e151b8ca31607d14…
	https://git.kernel.org/stable/c/e67471437ae9083fa…
	https://git.kernel.org/stable/c/7ffef5e5d5eeecd96…
	https://git.kernel.org/stable/c/856023ef032d82430…
	https://git.kernel.org/stable/c/591efa494a1cf649f…
	https://git.kernel.org/stable/c/15794835378ed56fb…
	https://git.kernel.org/stable/c/35f56c554eb1b56b7…

Impacted products

Vendor

Product

Version

Linux

Affected: 72205fc68bd13109576aa6c4c12c740962d28a6c , < 3c20b5948f119ae61ee35ad8584d666020c91581 (git)
Affected: 72205fc68bd13109576aa6c4c12c740962d28a6c , < 78b0f2028f1043227a8eb0c41944027fc6a04596 (git)
Affected: 72205fc68bd13109576aa6c4c12c740962d28a6c , < 2e151b8ca31607d14fddc4ad0f14da0893e1a7c7 (git)
Affected: 72205fc68bd13109576aa6c4c12c740962d28a6c , < e67471437ae9083fa73fa67eee1573fec1b7c8cf (git)
Affected: 72205fc68bd13109576aa6c4c12c740962d28a6c , < 7ffef5e5d5eeecd9687204a5ec2d863752aafb7e (git)
Affected: 72205fc68bd13109576aa6c4c12c740962d28a6c , < 856023ef032d824309abd5c747241dffa33aae8c (git)
Affected: 72205fc68bd13109576aa6c4c12c740962d28a6c , < 591efa494a1cf649f50a35def649c43ae984cd03 (git)
Affected: 72205fc68bd13109576aa6c4c12c740962d28a6c , < 15794835378ed56fb9bacc6a5dd3b9f33520604e (git)
Affected: 72205fc68bd13109576aa6c4c12c740962d28a6c , < 35f56c554eb1b56b77b3cf197a6b00922d49033d (git)

Linux

Affected: 2.6.39
Unaffected: 0 , < 2.6.39 (semver)
Unaffected: 4.19.325 , ≤ 4.19.* (semver)
Unaffected: 5.4.287 , ≤ 5.4.* (semver)
Unaffected: 5.10.231 , ≤ 5.10.* (semver)
Unaffected: 5.15.174 , ≤ 5.15.* (semver)
Unaffected: 6.1.120 , ≤ 6.1.* (semver)
Unaffected: 6.6.64 , ≤ 6.6.* (semver)
Unaffected: 6.11.11 , ≤ 6.11.* (semver)
Unaffected: 6.12.2 , ≤ 6.12.* (semver)
Unaffected: 6.13 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T20:46:21.162Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00001.html"
          },
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00002.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "net/netfilter/ipset/ip_set_bitmap_ip.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "3c20b5948f119ae61ee35ad8584d666020c91581",
              "status": "affected",
              "version": "72205fc68bd13109576aa6c4c12c740962d28a6c",
              "versionType": "git"
            },
            {
              "lessThan": "78b0f2028f1043227a8eb0c41944027fc6a04596",
              "status": "affected",
              "version": "72205fc68bd13109576aa6c4c12c740962d28a6c",
              "versionType": "git"
            },
            {
              "lessThan": "2e151b8ca31607d14fddc4ad0f14da0893e1a7c7",
              "status": "affected",
              "version": "72205fc68bd13109576aa6c4c12c740962d28a6c",
              "versionType": "git"
            },
            {
              "lessThan": "e67471437ae9083fa73fa67eee1573fec1b7c8cf",
              "status": "affected",
              "version": "72205fc68bd13109576aa6c4c12c740962d28a6c",
              "versionType": "git"
            },
            {
              "lessThan": "7ffef5e5d5eeecd9687204a5ec2d863752aafb7e",
              "status": "affected",
              "version": "72205fc68bd13109576aa6c4c12c740962d28a6c",
              "versionType": "git"
            },
            {
              "lessThan": "856023ef032d824309abd5c747241dffa33aae8c",
              "status": "affected",
              "version": "72205fc68bd13109576aa6c4c12c740962d28a6c",
              "versionType": "git"
            },
            {
              "lessThan": "591efa494a1cf649f50a35def649c43ae984cd03",
              "status": "affected",
              "version": "72205fc68bd13109576aa6c4c12c740962d28a6c",
              "versionType": "git"
            },
            {
              "lessThan": "15794835378ed56fb9bacc6a5dd3b9f33520604e",
              "status": "affected",
              "version": "72205fc68bd13109576aa6c4c12c740962d28a6c",
              "versionType": "git"
            },
            {
              "lessThan": "35f56c554eb1b56b77b3cf197a6b00922d49033d",
              "status": "affected",
              "version": "72205fc68bd13109576aa6c4c12c740962d28a6c",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "net/netfilter/ipset/ip_set_bitmap_ip.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "2.6.39"
            },
            {
              "lessThan": "2.6.39",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "4.19.*",
              "status": "unaffected",
              "version": "4.19.325",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.287",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.231",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.174",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.120",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.64",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.11.*",
              "status": "unaffected",
              "version": "6.11.11",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.2",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.13",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "4.19.325",
                  "versionStartIncluding": "2.6.39",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.287",
                  "versionStartIncluding": "2.6.39",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.231",
                  "versionStartIncluding": "2.6.39",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.174",
                  "versionStartIncluding": "2.6.39",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.120",
                  "versionStartIncluding": "2.6.39",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.64",
                  "versionStartIncluding": "2.6.39",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.11.11",
                  "versionStartIncluding": "2.6.39",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.2",
                  "versionStartIncluding": "2.6.39",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13",
                  "versionStartIncluding": "2.6.39",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: ipset: add missing range check in bitmap_ip_uadt\n\nWhen tb[IPSET_ATTR_IP_TO] is not present but tb[IPSET_ATTR_CIDR] exists,\nthe values of ip and ip_to are slightly swapped. Therefore, the range check\nfor ip should be done later, but this part is missing and it seems that the\nvulnerability occurs.\n\nSo we should add missing range checks and remove unnecessary range checks."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T09:54:04.856Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/3c20b5948f119ae61ee35ad8584d666020c91581"
        },
        {
          "url": "https://git.kernel.org/stable/c/78b0f2028f1043227a8eb0c41944027fc6a04596"
        },
        {
          "url": "https://git.kernel.org/stable/c/2e151b8ca31607d14fddc4ad0f14da0893e1a7c7"
        },
        {
          "url": "https://git.kernel.org/stable/c/e67471437ae9083fa73fa67eee1573fec1b7c8cf"
        },
        {
          "url": "https://git.kernel.org/stable/c/7ffef5e5d5eeecd9687204a5ec2d863752aafb7e"
        },
        {
          "url": "https://git.kernel.org/stable/c/856023ef032d824309abd5c747241dffa33aae8c"
        },
        {
          "url": "https://git.kernel.org/stable/c/591efa494a1cf649f50a35def649c43ae984cd03"
        },
        {
          "url": "https://git.kernel.org/stable/c/15794835378ed56fb9bacc6a5dd3b9f33520604e"
        },
        {
          "url": "https://git.kernel.org/stable/c/35f56c554eb1b56b77b3cf197a6b00922d49033d"
        }
      ],
      "title": "netfilter: ipset: add missing range check in bitmap_ip_uadt",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2024-53141",
    "datePublished": "2024-12-06T09:37:02.009Z",
    "dateReserved": "2024-11-19T17:17:24.997Z",
    "dateUpdated": "2025-11-03T20:46:21.162Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

Tags

Taxonomy of the tags.

All sightings related to this event Export sightings related to this event

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CERTFR-2025-AVI-1107

Solutions

CVE-2025-23145 (GCVE-0-2025-23145)

CVE-2025-38616 (GCVE-0-2025-38616)

CVE-2025-38500 (GCVE-0-2025-38500)

CVE-2024-53141 (GCVE-0-2024-53141)

Tags

Sightings

Nomenclature