GHSA-G35J-5V93-P28M

Vulnerability from github – Published: 2025-10-01 09:30 – Updated: 2025-10-01 09:30
VLAI?
Details

In the Linux kernel, the following vulnerability has been resolved:

can: j1939: implement NETDEV_UNREGISTER notification handler

syzbot is reporting

unregister_netdevice: waiting for vcan0 to become free. Usage count = 2

problem, for j1939 protocol did not have NETDEV_UNREGISTER notification handler for undoing changes made by j1939_sk_bind().

Commit 25fe97cb7620 ("can: j1939: move j1939_priv_put() into sk_destruct callback") expects that a call to j1939_priv_put() can be unconditionally delayed until j1939_sk_sock_destruct() is called. But we need to call j1939_priv_put() against an extra ref held by j1939_sk_bind() call (as a part of undoing changes made by j1939_sk_bind()) as soon as NETDEV_UNREGISTER notification fires (i.e. before j1939_sk_sock_destruct() is called via j1939_sk_release()). Otherwise, the extra ref on "struct j1939_priv" held by j1939_sk_bind() call prevents "struct net_device" from dropping the usage count to 1; making it impossible for unregister_netdevice() to continue.

[mkl: remove space in front of label]

Show details on source website
To clipboard 

{
  "affected": [],
  "aliases": [
    "CVE-2025-39925"
  ],
  "database_specific": {
    "cwe_ids": [],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-10-01T08:15:35Z",
    "severity": null
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\ncan: j1939: implement NETDEV_UNREGISTER notification handler\n\nsyzbot is reporting\n\n  unregister_netdevice: waiting for vcan0 to become free. Usage count = 2\n\nproblem, for j1939 protocol did not have NETDEV_UNREGISTER notification\nhandler for undoing changes made by j1939_sk_bind().\n\nCommit 25fe97cb7620 (\"can: j1939: move j1939_priv_put() into sk_destruct\ncallback\") expects that a call to j1939_priv_put() can be unconditionally\ndelayed until j1939_sk_sock_destruct() is called. But we need to call\nj1939_priv_put() against an extra ref held by j1939_sk_bind() call\n(as a part of undoing changes made by j1939_sk_bind()) as soon as\nNETDEV_UNREGISTER notification fires (i.e. before j1939_sk_sock_destruct()\nis called via j1939_sk_release()). Otherwise, the extra ref on \"struct\nj1939_priv\" held by j1939_sk_bind() call prevents \"struct net_device\" from\ndropping the usage count to 1; making it impossible for\nunregister_netdevice() to continue.\n\n[mkl: remove space in front of label]",
  "id": "GHSA-g35j-5v93-p28m",
  "modified": "2025-10-01T09:30:25Z",
  "published": "2025-10-01T09:30:25Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-39925"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/7fcbe5b2c6a4b5407bf2241fdb71e0a390f6ab9a"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/da9e8f429139928570407e8f90559b5d46c20262"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.