ghsa-9844-9wvv-r2x3
Vulnerability from github
Published
2025-08-19 18:31
Modified
2025-08-19 18:31
Details

In the Linux kernel, the following vulnerability has been resolved:

neighbour: Fix null-ptr-deref in neigh_flush_dev().

kernel test robot reported null-ptr-deref in neigh_flush_dev(). [0]

The cited commit introduced per-netdev neighbour list and converted neigh_flush_dev() to use it instead of the global hash table.

One thing we missed is that neigh_table_clear() calls neigh_ifdown() with NULL dev.

Let's restore the hash table iteration.

Note that IPv6 module is no longer unloadable, so neigh_table_clear() is called only when IPv6 fails to initialise, which is unlikely to happen.

[0]: IPv6: Attempt to unregister permanent protocol 136 IPv6: Attempt to unregister permanent protocol 17 Oops: general protection fault, probably for non-canonical address 0xdffffc00000001a0: 0000 [#1] SMP KASAN KASAN: null-ptr-deref in range [0x0000000000000d00-0x0000000000000d07] CPU: 1 UID: 0 PID: 1 Comm: systemd Tainted: G T 6.12.0-rc6-01246-gf7f52738637f #1 Tainted: [T]=RANDSTRUCT Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.2-debian-1.16.2-1 04/01/2014 RIP: 0010:neigh_flush_dev.llvm.6395807810224103582+0x52/0x570 Code: c1 e8 03 42 8a 04 38 84 c0 0f 85 15 05 00 00 31 c0 41 83 3e 0a 0f 94 c0 48 8d 1c c3 48 81 c3 f8 0c 00 00 48 89 d8 48 c1 e8 03 <42> 80 3c 38 00 74 08 48 89 df e8 f7 49 93 fe 4c 8b 3b 4d 85 ff 0f RSP: 0000:ffff88810026f408 EFLAGS: 00010206 RAX: 00000000000001a0 RBX: 0000000000000d00 RCX: 0000000000000000 RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffffffffc0631640 RBP: ffff88810026f470 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000 R13: ffffffffc0625250 R14: ffffffffc0631640 R15: dffffc0000000000 FS: 00007f575cb83940(0000) GS:ffff8883aee00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f575db40008 CR3: 00000002bf936000 CR4: 00000000000406f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: __neigh_ifdown.llvm.6395807810224103582+0x44/0x390 neigh_table_clear+0xb1/0x268 ndisc_cleanup+0x21/0x38 [ipv6] init_module+0x2f5/0x468 [ipv6] do_one_initcall+0x1ba/0x628 do_init_module+0x21a/0x530 load_module+0x2550/0x2ea0 __se_sys_finit_module+0x3d2/0x620 __x64_sys_finit_module+0x76/0x88 x64_sys_call+0x7ff/0xde8 do_syscall_64+0xfb/0x1e8 entry_SYSCALL_64_after_hwframe+0x67/0x6f RIP: 0033:0x7f575d6f2719 Code: 08 89 e8 5b 5d c3 66 2e 0f 1f 84 00 00 00 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d b7 06 0d 00 f7 d8 64 89 01 48 RSP: 002b:00007fff82a2a268 EFLAGS: 00000246 ORIG_RAX: 0000000000000139 RAX: ffffffffffffffda RBX: 0000557827b45310 RCX: 00007f575d6f2719 RDX: 0000000000000000 RSI: 00007f575d584efd RDI: 0000000000000004 RBP: 00007f575d584efd R08: 0000000000000000 R09: 0000557827b47b00 R10: 0000000000000004 R11: 0000000000000246 R12: 0000000000020000 R13: 0000000000000000 R14: 0000557827b470e0 R15: 00007f575dbb4270 Modules linked in: ipv6(+)

Show details on source website

To clipboard 

{
  "affected": [],
  "aliases": [
    "CVE-2025-38589"
  ],
  "database_specific": {
    "cwe_ids": [],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-08-19T17:15:36Z",
    "severity": null
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nneighbour: Fix null-ptr-deref in neigh_flush_dev().\n\nkernel test robot reported null-ptr-deref in neigh_flush_dev(). [0]\n\nThe cited commit introduced per-netdev neighbour list and converted\nneigh_flush_dev() to use it instead of the global hash table.\n\nOne thing we missed is that neigh_table_clear() calls neigh_ifdown()\nwith NULL dev.\n\nLet\u0027s restore the hash table iteration.\n\nNote that IPv6 module is no longer unloadable, so neigh_table_clear()\nis called only when IPv6 fails to initialise, which is unlikely to\nhappen.\n\n[0]:\nIPv6: Attempt to unregister permanent protocol 136\nIPv6: Attempt to unregister permanent protocol 17\nOops: general protection fault, probably for non-canonical address 0xdffffc00000001a0: 0000 [#1] SMP KASAN\nKASAN: null-ptr-deref in range [0x0000000000000d00-0x0000000000000d07]\nCPU: 1 UID: 0 PID: 1 Comm: systemd Tainted: G                T  6.12.0-rc6-01246-gf7f52738637f #1\nTainted: [T]=RANDSTRUCT\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.2-debian-1.16.2-1 04/01/2014\nRIP: 0010:neigh_flush_dev.llvm.6395807810224103582+0x52/0x570\nCode: c1 e8 03 42 8a 04 38 84 c0 0f 85 15 05 00 00 31 c0 41 83 3e 0a 0f 94 c0 48 8d 1c c3 48 81 c3 f8 0c 00 00 48 89 d8 48 c1 e8 03 \u003c42\u003e 80 3c 38 00 74 08 48 89 df e8 f7 49 93 fe 4c 8b 3b 4d 85 ff 0f\nRSP: 0000:ffff88810026f408 EFLAGS: 00010206\nRAX: 00000000000001a0 RBX: 0000000000000d00 RCX: 0000000000000000\nRDX: 0000000000000000 RSI: 0000000000000000 RDI: ffffffffc0631640\nRBP: ffff88810026f470 R08: 0000000000000000 R09: 0000000000000000\nR10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000\nR13: ffffffffc0625250 R14: ffffffffc0631640 R15: dffffc0000000000\nFS:  00007f575cb83940(0000) GS:ffff8883aee00000(0000) knlGS:0000000000000000\nCS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00007f575db40008 CR3: 00000002bf936000 CR4: 00000000000406f0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nCall Trace:\n \u003cTASK\u003e\n __neigh_ifdown.llvm.6395807810224103582+0x44/0x390\n neigh_table_clear+0xb1/0x268\n ndisc_cleanup+0x21/0x38 [ipv6]\n init_module+0x2f5/0x468 [ipv6]\n do_one_initcall+0x1ba/0x628\n do_init_module+0x21a/0x530\n load_module+0x2550/0x2ea0\n __se_sys_finit_module+0x3d2/0x620\n __x64_sys_finit_module+0x76/0x88\n x64_sys_call+0x7ff/0xde8\n do_syscall_64+0xfb/0x1e8\n entry_SYSCALL_64_after_hwframe+0x67/0x6f\nRIP: 0033:0x7f575d6f2719\nCode: 08 89 e8 5b 5d c3 66 2e 0f 1f 84 00 00 00 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 \u003c48\u003e 3d 01 f0 ff ff 73 01 c3 48 8b 0d b7 06 0d 00 f7 d8 64 89 01 48\nRSP: 002b:00007fff82a2a268 EFLAGS: 00000246 ORIG_RAX: 0000000000000139\nRAX: ffffffffffffffda RBX: 0000557827b45310 RCX: 00007f575d6f2719\nRDX: 0000000000000000 RSI: 00007f575d584efd RDI: 0000000000000004\nRBP: 00007f575d584efd R08: 0000000000000000 R09: 0000557827b47b00\nR10: 0000000000000004 R11: 0000000000000246 R12: 0000000000020000\nR13: 0000000000000000 R14: 0000557827b470e0 R15: 00007f575dbb4270\n \u003c/TASK\u003e\nModules linked in: ipv6(+)",
  "id": "GHSA-9844-9wvv-r2x3",
  "modified": "2025-08-19T18:31:33Z",
  "published": "2025-08-19T18:31:33Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-38589"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/1bbb76a899486827394530916f01214d049931b3"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/47fbd7f8df19bdfbe334ee83f35568c9a29221ae"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/d9c4328795697ebc392a63fece3901999c09cddd"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.