7.8
CVE-2025-38377
- EPSS 0.16%
- Veröffentlicht 25.07.2025 13:15:26
- Zuletzt bearbeitet 18.12.2025 17:20:12
- Quelle 416baaa9-dc9f-4396-8d5f-8c081f
- CVE-Watchlists
- Unerledigt
rose: fix dangling neighbour pointers in rose_rt_device_down()
In the Linux kernel, the following vulnerability has been resolved:
rose: fix dangling neighbour pointers in rose_rt_device_down()
There are two bugs in rose_rt_device_down() that can cause
use-after-free:
1. The loop bound `t->count` is modified within the loop, which can
cause the loop to terminate early and miss some entries.
2. When removing an entry from the neighbour array, the subsequent entries
are moved up to fill the gap, but the loop index `i` is still
incremented, causing the next entry to be skipped.
For example, if a node has three neighbours (A, A, B) with count=3 and A
is being removed, the second A is not checked.
i=0: (A, A, B) -> (A, B) with count=2
^ checked
i=1: (A, B) -> (A, B) with count=2
^ checked (B, not A!)
i=2: (doesn't occur because i < count is false)
This leaves the second A in the array with count=2, but the rose_neigh
structure has been freed. Code that accesses these entries assumes that
the first `count` entries are valid pointers, causing a use-after-free
when it accesses the dangling pointer.
Fix both issues by iterating over the array in reverse order with a fixed
loop bound. This ensures that all entries are examined and that the removal
of an entry doesn't affect subsequent iterations.Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Linux ≫ Linux Kernel Version >= 2.6.13 < 5.4.296
Linux ≫ Linux Kernel Version >= 5.5 < 5.10.240
Linux ≫ Linux Kernel Version >= 5.11 < 5.15.187
Linux ≫ Linux Kernel Version >= 5.16 < 6.1.144
Linux ≫ Linux Kernel Version >= 6.2 < 6.6.97
Linux ≫ Linux Kernel Version >= 6.7 < 6.12.37
Linux ≫ Linux Kernel Version >= 6.13 < 6.15.6
Linux ≫ Linux Kernel Version2.6.12 Update-
Linux ≫ Linux Kernel Version2.6.12 Updaterc2
Linux ≫ Linux Kernel Version2.6.12 Updaterc3
Linux ≫ Linux Kernel Version2.6.12 Updaterc4
Linux ≫ Linux Kernel Version2.6.12 Updaterc5
Linux ≫ Linux Kernel Version6.16 Updaterc1
Linux ≫ Linux Kernel Version6.16 Updaterc2
Linux ≫ Linux Kernel Version6.16 Updaterc3
Linux ≫ Linux Kernel Version6.16 Updaterc4
Debian ≫ Debian Linux Version11.0
VulnDex Vulnerability Enrichment
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.16% | 0.059 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| nvd@nist.gov | 7.8 | 1.8 | 5.9 |
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
|
CWE-416 Use After Free
The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory "belongs" to the code that operates on the new pointer.
https://git.kernel.org/stable/c/2b952dbb32fef835756f07ff0cd77efbb836dfea
https://git.kernel.org/stable/c/2c6c82ee074bfcfd1bc978ec45bfea37703d840a
https://git.kernel.org/stable/c/34a500caf48c47d5171f4aa1f237da39b07c6157
https://git.kernel.org/stable/c/446ac00b86be1670838e513b643933d78837d8db
https://git.kernel.org/stable/c/7a1841c9609377e989ec41c16551309ce79c39e4
https://git.kernel.org/stable/c/94e0918e39039c47ddceb609500817f7266be756
https://git.kernel.org/stable/c/b6b232e16e08c6dc120672b4753392df0d28c1b4
https://git.kernel.org/stable/c/fe62a35fb1f77f494ed534fc69a9043dc5a30ce1
https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html
https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html