fkie_cve-2025-38589
Vulnerability from fkie_nvd
Published
2025-08-19 17:15
Modified
2025-08-20 14:40
Severity ?
Summary
In the Linux kernel, the following vulnerability has been resolved: neighbour: Fix null-ptr-deref in neigh_flush_dev(). kernel test robot reported null-ptr-deref in neigh_flush_dev(). [0] The cited commit introduced per-netdev neighbour list and converted neigh_flush_dev() to use it instead of the global hash table. One thing we missed is that neigh_table_clear() calls neigh_ifdown() with NULL dev. Let's restore the hash table iteration. Note that IPv6 module is no longer unloadable, so neigh_table_clear() is called only when IPv6 fails to initialise, which is unlikely to happen. [0]: IPv6: Attempt to unregister permanent protocol 136 IPv6: Attempt to unregister permanent protocol 17 Oops: general protection fault, probably for non-canonical address 0xdffffc00000001a0: 0000 [#1] SMP KASAN KASAN: null-ptr-deref in range [0x0000000000000d00-0x0000000000000d07] CPU: 1 UID: 0 PID: 1 Comm: systemd Tainted: G T 6.12.0-rc6-01246-gf7f52738637f #1 Tainted: [T]=RANDSTRUCT Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.2-debian-1.16.2-1 04/01/2014 RIP: 0010:neigh_flush_dev.llvm.6395807810224103582+0x52/0x570 Code: c1 e8 03 42 8a 04 38 84 c0 0f 85 15 05 00 00 31 c0 41 83 3e 0a 0f 94 c0 48 8d 1c c3 48 81 c3 f8 0c 00 00 48 89 d8 48 c1 e8 03 <42> 80 3c 38 00 74 08 48 89 df e8 f7 49 93 fe 4c 8b 3b 4d 85 ff 0f RSP: 0000:ffff88810026f408 EFLAGS: 00010206 RAX: 00000000000001a0 RBX: 0000000000000d00 RCX: 0000000000000000 RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffffffffc0631640 RBP: ffff88810026f470 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000 R13: ffffffffc0625250 R14: ffffffffc0631640 R15: dffffc0000000000 FS: 00007f575cb83940(0000) GS:ffff8883aee00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f575db40008 CR3: 00000002bf936000 CR4: 00000000000406f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: <TASK> __neigh_ifdown.llvm.6395807810224103582+0x44/0x390 neigh_table_clear+0xb1/0x268 ndisc_cleanup+0x21/0x38 [ipv6] init_module+0x2f5/0x468 [ipv6] do_one_initcall+0x1ba/0x628 do_init_module+0x21a/0x530 load_module+0x2550/0x2ea0 __se_sys_finit_module+0x3d2/0x620 __x64_sys_finit_module+0x76/0x88 x64_sys_call+0x7ff/0xde8 do_syscall_64+0xfb/0x1e8 entry_SYSCALL_64_after_hwframe+0x67/0x6f RIP: 0033:0x7f575d6f2719 Code: 08 89 e8 5b 5d c3 66 2e 0f 1f 84 00 00 00 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d b7 06 0d 00 f7 d8 64 89 01 48 RSP: 002b:00007fff82a2a268 EFLAGS: 00000246 ORIG_RAX: 0000000000000139 RAX: ffffffffffffffda RBX: 0000557827b45310 RCX: 00007f575d6f2719 RDX: 0000000000000000 RSI: 00007f575d584efd RDI: 0000000000000004 RBP: 00007f575d584efd R08: 0000000000000000 R09: 0000557827b47b00 R10: 0000000000000004 R11: 0000000000000246 R12: 0000000000020000 R13: 0000000000000000 R14: 0000557827b470e0 R15: 00007f575dbb4270 </TASK> Modules linked in: ipv6(+)
References
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/1bbb76a899486827394530916f01214d049931b3
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/47fbd7f8df19bdfbe334ee83f35568c9a29221ae
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/d9c4328795697ebc392a63fece3901999c09cddd
Impacted products
Vendor Product Version


To clipboard 

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nneighbour: Fix null-ptr-deref in neigh_flush_dev().\n\nkernel test robot reported null-ptr-deref in neigh_flush_dev(). [0]\n\nThe cited commit introduced per-netdev neighbour list and converted\nneigh_flush_dev() to use it instead of the global hash table.\n\nOne thing we missed is that neigh_table_clear() calls neigh_ifdown()\nwith NULL dev.\n\nLet\u0027s restore the hash table iteration.\n\nNote that IPv6 module is no longer unloadable, so neigh_table_clear()\nis called only when IPv6 fails to initialise, which is unlikely to\nhappen.\n\n[0]:\nIPv6: Attempt to unregister permanent protocol 136\nIPv6: Attempt to unregister permanent protocol 17\nOops: general protection fault, probably for non-canonical address 0xdffffc00000001a0: 0000 [#1] SMP KASAN\nKASAN: null-ptr-deref in range [0x0000000000000d00-0x0000000000000d07]\nCPU: 1 UID: 0 PID: 1 Comm: systemd Tainted: G                T  6.12.0-rc6-01246-gf7f52738637f #1\nTainted: [T]=RANDSTRUCT\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.2-debian-1.16.2-1 04/01/2014\nRIP: 0010:neigh_flush_dev.llvm.6395807810224103582+0x52/0x570\nCode: c1 e8 03 42 8a 04 38 84 c0 0f 85 15 05 00 00 31 c0 41 83 3e 0a 0f 94 c0 48 8d 1c c3 48 81 c3 f8 0c 00 00 48 89 d8 48 c1 e8 03 \u003c42\u003e 80 3c 38 00 74 08 48 89 df e8 f7 49 93 fe 4c 8b 3b 4d 85 ff 0f\nRSP: 0000:ffff88810026f408 EFLAGS: 00010206\nRAX: 00000000000001a0 RBX: 0000000000000d00 RCX: 0000000000000000\nRDX: 0000000000000000 RSI: 0000000000000000 RDI: ffffffffc0631640\nRBP: ffff88810026f470 R08: 0000000000000000 R09: 0000000000000000\nR10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000\nR13: ffffffffc0625250 R14: ffffffffc0631640 R15: dffffc0000000000\nFS:  00007f575cb83940(0000) GS:ffff8883aee00000(0000) knlGS:0000000000000000\nCS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00007f575db40008 CR3: 00000002bf936000 CR4: 00000000000406f0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nCall Trace:\n \u003cTASK\u003e\n __neigh_ifdown.llvm.6395807810224103582+0x44/0x390\n neigh_table_clear+0xb1/0x268\n ndisc_cleanup+0x21/0x38 [ipv6]\n init_module+0x2f5/0x468 [ipv6]\n do_one_initcall+0x1ba/0x628\n do_init_module+0x21a/0x530\n load_module+0x2550/0x2ea0\n __se_sys_finit_module+0x3d2/0x620\n __x64_sys_finit_module+0x76/0x88\n x64_sys_call+0x7ff/0xde8\n do_syscall_64+0xfb/0x1e8\n entry_SYSCALL_64_after_hwframe+0x67/0x6f\nRIP: 0033:0x7f575d6f2719\nCode: 08 89 e8 5b 5d c3 66 2e 0f 1f 84 00 00 00 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 \u003c48\u003e 3d 01 f0 ff ff 73 01 c3 48 8b 0d b7 06 0d 00 f7 d8 64 89 01 48\nRSP: 002b:00007fff82a2a268 EFLAGS: 00000246 ORIG_RAX: 0000000000000139\nRAX: ffffffffffffffda RBX: 0000557827b45310 RCX: 00007f575d6f2719\nRDX: 0000000000000000 RSI: 00007f575d584efd RDI: 0000000000000004\nRBP: 00007f575d584efd R08: 0000000000000000 R09: 0000557827b47b00\nR10: 0000000000000004 R11: 0000000000000246 R12: 0000000000020000\nR13: 0000000000000000 R14: 0000557827b470e0 R15: 00007f575dbb4270\n \u003c/TASK\u003e\nModules linked in: ipv6(+)"
    },
    {
      "lang": "es",
      "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: neighbor: Se corrigi\u00f3 null-ptr-deref en neigh_flush_dev(). El robot de pruebas del kernel report\u00f3 null-ptr-deref en neigh_flush_dev(). [0] La confirmaci\u00f3n citada introdujo una lista de vecinos por netdev y convirti\u00f3 neigh_flush_dev() para usarla en lugar de la tabla hash global. Un aspecto que pasamos por alto es que neigh_table_clear() llama a neigh_ifdown() con NULL dev. Restablezcamos la iteraci\u00f3n de la tabla hash. Tenga en cuenta que el m\u00f3dulo IPv6 ya no se puede descargar, por lo que neigh_table_clear() solo se llama cuando IPv6 no se inicializa, lo cual es improbable. [0]: IPv6: Intento de anular el registro del protocolo permanente 136 IPv6: Intento de anular el registro del protocolo permanente 17 Ups: fallo de protecci\u00f3n general, probablemente para la direcci\u00f3n no can\u00f3nica 0xdffffc00000001a0: 0000 [#1] SMP KASAN KASAN: null-ptr-deref en el rango [0x000000000000d00-0x0000000000000d07] CPU: 1 UID: 0 PID: 1 Comm: systemd Contaminado: GT 6.12.0-rc6-01246-gf7f52738637f #1 Contaminado: [T]=RANDSTRUCT Nombre del hardware: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.2-debian-1.16.2-1 01/04/2014 RIP: 0010:neigh_flush_dev.llvm.6395807810224103582+0x52/0x570 C\u00f3digo: c1 e8 03 42 8a 04 38 84 c0 0f 85 15 05 00 00 31 c0 41 83 3e 0a 0f 94 c0 48 8d 1c c3 48 81 c3 f8 0c 00 00 48 89 d8 48 c1 e8 03 \u0026lt;42\u0026gt; 80 3c 38 00 74 08 48 89 df e8 f7 49 93 fe 4c 8b 3b 4d 85 y siguientes 0f RSP: 0000:ffff88810026f408 EFLAGS: 00010206 RAX: 00000000000001a0 RBX: 00000000000000d00 RCX: 0000000000000000 RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffffffffc0631640 RBP: ffff88810026f470 R08: 0000000000000000 R09: 0000000000000000 R10: 00000000000000000 R11: 0000000000000000 R12: 0000000000000000 R13: fffffffc0625250 R14: fffffffc0631640 R15: dffffc0000000000 FS: 00007f575cb83940(0000) GS:ffff8883aee00000(0000) knlGS:000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f575db40008 CR3: 00000002bf936000 CR4: 000000000000406f0 DR0: 00000000000000000 DR1: 00000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Rastreo de llamadas:   __neigh_ifdown.llvm.6395807810224103582+0x44/0x390 neigh_table_clear+0xb1/0x268 ndisc_cleanup+0x21/0x38 [ipv6] init_module+0x2f5/0x468 [ipv6] do_one_initcall+0x1ba/0x628 do_init_module+0x21a/0x530 load_module+0x2550/0x2ea0 __se_sys_finit_module+0x3d2/0x620 __x64_sys_finit_module+0x76/0x88 x64_sys_call+0x7ff/0xde8 do_syscall_64+0xfb/0x1e8 entry_SYSCALL_64_after_hwframe+0x67/0x6f RIP: 0033:0x7f575d6f2719 Code: 08 89 e8 5b 5d c3 66 2e 0f 1f 84 00 00 00 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 \u0026lt;48\u0026gt; 3d 01 f0 ff ff 73 01 c3 48 8b 0d b7 06 0d 00 f7 d8 64 89 01 48 RSP: 002b:00007fff82a2a268 EFLAGS: 00000246 ORIG_RAX: 0000000000000139 RAX: ffffffffffffffda RBX: 0000557827b45310 RCX: 00007f575d6f2719 RDX: 0000000000000000 RSI: 00007f575d584efd RDI: 0000000000000004 RBP: 00007f575d584efd R08: 0000000000000000 R09: 0000557827b47b00 R10: 0000000000000004 R11: 0000000000000246 R12: 0000000000020000 R13: 0000000000000000 R14: 0000557827b470e0 R15: 00007f575dbb4270  M\u00f3dulos vinculados en: ipv6(+)"
    }
  ],
  "id": "CVE-2025-38589",
  "lastModified": "2025-08-20T14:40:17.713",
  "metrics": {},
  "published": "2025-08-19T17:15:36.520",
  "references": [
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/1bbb76a899486827394530916f01214d049931b3"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/47fbd7f8df19bdfbe334ee83f35568c9a29221ae"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/d9c4328795697ebc392a63fece3901999c09cddd"
    }
  ],
  "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
  "vulnStatus": "Awaiting Analysis"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.