GHSA-QRX3-R5GV-42G6
Vulnerability from github – Published: 2025-09-16 15:32 – Updated: 2025-11-03 18:31In the Linux kernel, the following vulnerability has been resolved:
net: rose: include node references in rose_neigh refcount
Current implementation maintains two separate reference counting mechanisms: the 'count' field in struct rose_neigh tracks references from rose_node structures, while the 'use' field (now refcount_t) tracks references from rose_sock.
This patch merges these two reference counting systems using 'use' field for proper reference management. Specifically, this patch adds incrementing and decrementing of rose_neigh->use when rose_neigh->count is incremented or decremented.
This patch also modifies rose_rt_free(), rose_rt_device_down() and rose_clear_route() to properly release references to rose_neigh objects before freeing a rose_node through rose_remove_node().
These changes ensure rose_neigh structures are properly freed only when all references, including those from rose_node structures, are released. As a result, this resolves a slab-use-after-free issue reported by Syzbot.
{
"affected": [],
"aliases": [
"CVE-2025-39827"
],
"database_specific": {
"cwe_ids": [],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-09-16T13:16:02Z",
"severity": null
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: rose: include node references in rose_neigh refcount\n\nCurrent implementation maintains two separate reference counting\nmechanisms: the \u0027count\u0027 field in struct rose_neigh tracks references from\nrose_node structures, while the \u0027use\u0027 field (now refcount_t) tracks\nreferences from rose_sock.\n\nThis patch merges these two reference counting systems using \u0027use\u0027 field\nfor proper reference management. Specifically, this patch adds incrementing\nand decrementing of rose_neigh-\u003euse when rose_neigh-\u003ecount is incremented\nor decremented.\n\nThis patch also modifies rose_rt_free(), rose_rt_device_down() and\nrose_clear_route() to properly release references to rose_neigh objects\nbefore freeing a rose_node through rose_remove_node().\n\nThese changes ensure rose_neigh structures are properly freed only when\nall references, including those from rose_node structures, are released.\nAs a result, this resolves a slab-use-after-free issue reported by Syzbot.",
"id": "GHSA-qrx3-r5gv-42g6",
"modified": "2025-11-03T18:31:41Z",
"published": "2025-09-16T15:32:35Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-39827"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/384210cceb1873a4c8218b27ba0745444436b728"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/4cce478c3e82a5fc788d72adb2f4c4e983997639"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/9c547c8eee9d1cf6e744611d688b9f725cf9a115"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/d7563b456ed44151e1a82091d96f60166daea89b"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/da9c9c877597170b929a6121a68dcd3dd9a80f45"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
}
],
"schema_version": "1.4.0",
"severity": []
}
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.