CVE-2025-38019 (GCVE-0-2025-38019)
Vulnerability from cvelistv5
Published
2025-06-18 09:28
Modified
2025-06-18 09:28
Severity ?
Summary
In the Linux kernel, the following vulnerability has been resolved: mlxsw: spectrum_router: Fix use-after-free when deleting GRE net devices The driver only offloads neighbors that are constructed on top of net devices registered by it or their uppers (which are all Ethernet). The device supports GRE encapsulation and decapsulation of forwarded traffic, but the driver will not offload dummy neighbors constructed on top of GRE net devices as they are not uppers of its net devices: # ip link add name gre1 up type gre tos inherit local 192.0.2.1 remote 198.51.100.1 # ip neigh add 0.0.0.0 lladdr 0.0.0.0 nud noarp dev gre1 $ ip neigh show dev gre1 nud noarp 0.0.0.0 lladdr 0.0.0.0 NOARP (Note that the neighbor is not marked with 'offload') When the driver is reloaded and the existing configuration is replayed, the driver does not perform the same check regarding existing neighbors and offloads the previously added one: # devlink dev reload pci/0000:01:00.0 $ ip neigh show dev gre1 nud noarp 0.0.0.0 lladdr 0.0.0.0 offload NOARP If the neighbor is later deleted, the driver will ignore the notification (given the GRE net device is not its upper) and will therefore keep referencing freed memory, resulting in a use-after-free [1] when the net device is deleted: # ip neigh del 0.0.0.0 lladdr 0.0.0.0 dev gre1 # ip link del dev gre1 Fix by skipping neighbor replay if the net device for which the replay is performed is not our upper. [1] BUG: KASAN: slab-use-after-free in mlxsw_sp_neigh_entry_update+0x1ea/0x200 Read of size 8 at addr ffff888155b0e420 by task ip/2282 [...] Call Trace: <TASK> dump_stack_lvl+0x6f/0xa0 print_address_description.constprop.0+0x6f/0x350 print_report+0x108/0x205 kasan_report+0xdf/0x110 mlxsw_sp_neigh_entry_update+0x1ea/0x200 mlxsw_sp_router_rif_gone_sync+0x2a8/0x440 mlxsw_sp_rif_destroy+0x1e9/0x750 mlxsw_sp_netdevice_ipip_ol_event+0x3c9/0xdc0 mlxsw_sp_router_netdevice_event+0x3ac/0x15e0 notifier_call_chain+0xca/0x150 call_netdevice_notifiers_info+0x7f/0x100 unregister_netdevice_many_notify+0xc8c/0x1d90 rtnl_dellink+0x34e/0xa50 rtnetlink_rcv_msg+0x6fb/0xb70 netlink_rcv_skb+0x131/0x360 netlink_unicast+0x426/0x710 netlink_sendmsg+0x75a/0xc20 __sock_sendmsg+0xc1/0x150 ____sys_sendmsg+0x5aa/0x7b0 ___sys_sendmsg+0xfc/0x180 __sys_sendmsg+0x121/0x1b0 do_syscall_64+0xbb/0x1d0 entry_SYSCALL_64_after_hwframe+0x4b/0x53
References
Impacted products
Vendor Product Version
Linux Linux Version: 8fdb09a7674c61c4f0e5faf0d63b3ce500a341b0
Version: 8fdb09a7674c61c4f0e5faf0d63b3ce500a341b0
Version: 8fdb09a7674c61c4f0e5faf0d63b3ce500a341b0
Version: 8fdb09a7674c61c4f0e5faf0d63b3ce500a341b0
 Create a notification for this product.
Show details on NVD website

To clipboard 

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/ethernet/mellanox/mlxsw/spectrum_router.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "f1ecccb5cdda39bca8cd17bb0b6cf61361e33578",
              "status": "affected",
              "version": "8fdb09a7674c61c4f0e5faf0d63b3ce500a341b0",
              "versionType": "git"
            },
            {
              "lessThan": "abc43c1ffdbc801b0b04ac845bfaf1d42b8f68f7",
              "status": "affected",
              "version": "8fdb09a7674c61c4f0e5faf0d63b3ce500a341b0",
              "versionType": "git"
            },
            {
              "lessThan": "9ab7945f3a61ed23da412e30f1e56414c05c4f06",
              "status": "affected",
              "version": "8fdb09a7674c61c4f0e5faf0d63b3ce500a341b0",
              "versionType": "git"
            },
            {
              "lessThan": "92ec4855034b2c4d13f117558dc73d20581fa9ff",
              "status": "affected",
              "version": "8fdb09a7674c61c4f0e5faf0d63b3ce500a341b0",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/ethernet/mellanox/mlxsw/spectrum_router.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.6"
            },
            {
              "lessThan": "6.6",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.92",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.30",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.14.*",
              "status": "unaffected",
              "version": "6.14.8",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.15",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.92",
                  "versionStartIncluding": "6.6",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.30",
                  "versionStartIncluding": "6.6",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14.8",
                  "versionStartIncluding": "6.6",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15",
                  "versionStartIncluding": "6.6",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmlxsw: spectrum_router: Fix use-after-free when deleting GRE net devices\n\nThe driver only offloads neighbors that are constructed on top of net\ndevices registered by it or their uppers (which are all Ethernet). The\ndevice supports GRE encapsulation and decapsulation of forwarded\ntraffic, but the driver will not offload dummy neighbors constructed on\ntop of GRE net devices as they are not uppers of its net devices:\n\n # ip link add name gre1 up type gre tos inherit local 192.0.2.1 remote 198.51.100.1\n # ip neigh add 0.0.0.0 lladdr 0.0.0.0 nud noarp dev gre1\n $ ip neigh show dev gre1 nud noarp\n 0.0.0.0 lladdr 0.0.0.0 NOARP\n\n(Note that the neighbor is not marked with \u0027offload\u0027)\n\nWhen the driver is reloaded and the existing configuration is replayed,\nthe driver does not perform the same check regarding existing neighbors\nand offloads the previously added one:\n\n # devlink dev reload pci/0000:01:00.0\n $ ip neigh show dev gre1 nud noarp\n 0.0.0.0 lladdr 0.0.0.0 offload NOARP\n\nIf the neighbor is later deleted, the driver will ignore the\nnotification (given the GRE net device is not its upper) and will\ntherefore keep referencing freed memory, resulting in a use-after-free\n[1] when the net device is deleted:\n\n # ip neigh del 0.0.0.0 lladdr 0.0.0.0 dev gre1\n # ip link del dev gre1\n\nFix by skipping neighbor replay if the net device for which the replay\nis performed is not our upper.\n\n[1]\nBUG: KASAN: slab-use-after-free in mlxsw_sp_neigh_entry_update+0x1ea/0x200\nRead of size 8 at addr ffff888155b0e420 by task ip/2282\n[...]\nCall Trace:\n \u003cTASK\u003e\n dump_stack_lvl+0x6f/0xa0\n print_address_description.constprop.0+0x6f/0x350\n print_report+0x108/0x205\n kasan_report+0xdf/0x110\n mlxsw_sp_neigh_entry_update+0x1ea/0x200\n mlxsw_sp_router_rif_gone_sync+0x2a8/0x440\n mlxsw_sp_rif_destroy+0x1e9/0x750\n mlxsw_sp_netdevice_ipip_ol_event+0x3c9/0xdc0\n mlxsw_sp_router_netdevice_event+0x3ac/0x15e0\n notifier_call_chain+0xca/0x150\n call_netdevice_notifiers_info+0x7f/0x100\n unregister_netdevice_many_notify+0xc8c/0x1d90\n rtnl_dellink+0x34e/0xa50\n rtnetlink_rcv_msg+0x6fb/0xb70\n netlink_rcv_skb+0x131/0x360\n netlink_unicast+0x426/0x710\n netlink_sendmsg+0x75a/0xc20\n __sock_sendmsg+0xc1/0x150\n ____sys_sendmsg+0x5aa/0x7b0\n ___sys_sendmsg+0xfc/0x180\n __sys_sendmsg+0x121/0x1b0\n do_syscall_64+0xbb/0x1d0\n entry_SYSCALL_64_after_hwframe+0x4b/0x53"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-06-18T09:28:27.046Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/f1ecccb5cdda39bca8cd17bb0b6cf61361e33578"
        },
        {
          "url": "https://git.kernel.org/stable/c/abc43c1ffdbc801b0b04ac845bfaf1d42b8f68f7"
        },
        {
          "url": "https://git.kernel.org/stable/c/9ab7945f3a61ed23da412e30f1e56414c05c4f06"
        },
        {
          "url": "https://git.kernel.org/stable/c/92ec4855034b2c4d13f117558dc73d20581fa9ff"
        }
      ],
      "title": "mlxsw: spectrum_router: Fix use-after-free when deleting GRE net devices",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-38019",
    "datePublished": "2025-06-18T09:28:27.046Z",
    "dateReserved": "2025-04-16T04:51:23.977Z",
    "dateUpdated": "2025-06-18T09:28:27.046Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2025-38019\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2025-06-18T10:15:33.563\",\"lastModified\":\"2025-06-18T13:46:52.973\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\nmlxsw: spectrum_router: Fix use-after-free when deleting GRE net devices\\n\\nThe driver only offloads neighbors that are constructed on top of net\\ndevices registered by it or their uppers (which are all Ethernet). The\\ndevice supports GRE encapsulation and decapsulation of forwarded\\ntraffic, but the driver will not offload dummy neighbors constructed on\\ntop of GRE net devices as they are not uppers of its net devices:\\n\\n # ip link add name gre1 up type gre tos inherit local 192.0.2.1 remote 198.51.100.1\\n # ip neigh add 0.0.0.0 lladdr 0.0.0.0 nud noarp dev gre1\\n $ ip neigh show dev gre1 nud noarp\\n 0.0.0.0 lladdr 0.0.0.0 NOARP\\n\\n(Note that the neighbor is not marked with \u0027offload\u0027)\\n\\nWhen the driver is reloaded and the existing configuration is replayed,\\nthe driver does not perform the same check regarding existing neighbors\\nand offloads the previously added one:\\n\\n # devlink dev reload pci/0000:01:00.0\\n $ ip neigh show dev gre1 nud noarp\\n 0.0.0.0 lladdr 0.0.0.0 offload NOARP\\n\\nIf the neighbor is later deleted, the driver will ignore the\\nnotification (given the GRE net device is not its upper) and will\\ntherefore keep referencing freed memory, resulting in a use-after-free\\n[1] when the net device is deleted:\\n\\n # ip neigh del 0.0.0.0 lladdr 0.0.0.0 dev gre1\\n # ip link del dev gre1\\n\\nFix by skipping neighbor replay if the net device for which the replay\\nis performed is not our upper.\\n\\n[1]\\nBUG: KASAN: slab-use-after-free in mlxsw_sp_neigh_entry_update+0x1ea/0x200\\nRead of size 8 at addr ffff888155b0e420 by task ip/2282\\n[...]\\nCall Trace:\\n \u003cTASK\u003e\\n dump_stack_lvl+0x6f/0xa0\\n print_address_description.constprop.0+0x6f/0x350\\n print_report+0x108/0x205\\n kasan_report+0xdf/0x110\\n mlxsw_sp_neigh_entry_update+0x1ea/0x200\\n mlxsw_sp_router_rif_gone_sync+0x2a8/0x440\\n mlxsw_sp_rif_destroy+0x1e9/0x750\\n mlxsw_sp_netdevice_ipip_ol_event+0x3c9/0xdc0\\n mlxsw_sp_router_netdevice_event+0x3ac/0x15e0\\n notifier_call_chain+0xca/0x150\\n call_netdevice_notifiers_info+0x7f/0x100\\n unregister_netdevice_many_notify+0xc8c/0x1d90\\n rtnl_dellink+0x34e/0xa50\\n rtnetlink_rcv_msg+0x6fb/0xb70\\n netlink_rcv_skb+0x131/0x360\\n netlink_unicast+0x426/0x710\\n netlink_sendmsg+0x75a/0xc20\\n __sock_sendmsg+0xc1/0x150\\n ____sys_sendmsg+0x5aa/0x7b0\\n ___sys_sendmsg+0xfc/0x180\\n __sys_sendmsg+0x121/0x1b0\\n do_syscall_64+0xbb/0x1d0\\n entry_SYSCALL_64_after_hwframe+0x4b/0x53\"},{\"lang\":\"es\",\"value\":\"En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: mlxsw: spectrum_router: Se corrige el use-after-free al eliminar dispositivos de red GRE. El controlador solo descarga a los vecinos que se construyen sobre dispositivos de red registrados por \u00e9l o sus superiores (que son todos Ethernet). El dispositivo admite la encapsulaci\u00f3n y desencapsulaci\u00f3n GRE del tr\u00e1fico reenviado, pero el controlador no descargar\u00e1 vecinos ficticios construidos sobre dispositivos de red GRE ya que no son superiores a sus dispositivos de red: # ip link add name gre1 up type gre tos heritage local 192.0.2.1 remote 198.51.100.1 # ip neigh add 0.0.0.0 lladdr 0.0.0.0 nud noarp dev gre1 $ ip neigh show dev gre1 nud noarp 0.0.0.0 lladdr 0.0.0.0 NOARP (Tenga en cuenta que el vecino no est\u00e1 marcado con \u0027offload\u0027) Cuando se vuelve a cargar el controlador y se reproduce la configuraci\u00f3n existente, el controlador no realiza la misma comprobaci\u00f3n con respecto a los vecinos existentes y descarga el agregado previamente: # devlink dev reload pci/0000:01:00.0 $ ip neigh show dev gre1 nud noarp 0.0.0.0 lladdr 0.0.0.0 offload NOARP Si el vecino se elimina m\u00e1s tarde, el controlador ignorar\u00e1 la notificaci\u00f3n (dado que el dispositivo de red GRE no es su superior) y, por lo tanto, seguir\u00e1 haciendo referencia a la memoria liberada, lo que dar\u00e1 como resultado un use-after-free [1] cuando se elimine el dispositivo de red: # ip neigh del 0.0.0.0 lladdr 0.0.0.0 dev gre1 # ip link del dev gre1 Se soluciona omitiendo la reproducci\u00f3n del vecino si el dispositivo de red para el que se realiza la reproducci\u00f3n no es nuestro superior. [1] ERROR: KASAN: slab-use-after-free en mlxsw_sp_neigh_entry_update+0x1ea/0x200 Lectura de tama\u00f1o 8 en la direcci\u00f3n ffff888155b0e420 por la tarea ip/2282 [...] Rastreo de llamadas:   dump_stack_lvl+0x6f/0xa0 print_address_description.constprop.0+0x6f/0x350 print_report+0x108/0x205 kasan_report+0xdf/0x110 mlxsw_sp_neigh_entry_update+0x1ea/0x200 mlxsw_sp_router_rif_gone_sync+0x2a8/0x440 mlxsw_sp_rif_destroy+0x1e9/0x750 mlxsw_sp_netdevice_ipip_ol_event+0x3c9/0xdc0 mlxsw_sp_router_netdevice_event+0x3ac/0x15e0 notifier_call_chain+0xca/0x150 call_netdevice_notifiers_info+0x7f/0x100 unregister_netdevice_many_notify+0xc8c/0x1d90 rtnl_dellink+0x34e/0xa50 rtnetlink_rcv_msg+0x6fb/0xb70 netlink_rcv_skb+0x131/0x360 netlink_unicast+0x426/0x710 netlink_sendmsg+0x75a/0xc20 __sock_sendmsg+0xc1/0x150 ____sys_sendmsg+0x5aa/0x7b0 ___sys_sendmsg+0xfc/0x180 __sys_sendmsg+0x121/0x1b0 do_syscall_64+0xbb/0x1d0 entry_SYSCALL_64_after_hwframe+0x4b/0x53 \"}],\"metrics\":{},\"references\":[{\"url\":\"https://git.kernel.org/stable/c/92ec4855034b2c4d13f117558dc73d20581fa9ff\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/9ab7945f3a61ed23da412e30f1e56414c05c4f06\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/abc43c1ffdbc801b0b04ac845bfaf1d42b8f68f7\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/f1ecccb5cdda39bca8cd17bb0b6cf61361e33578\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.