CVE-2025-39984

EPSS 0.02%
Veröffentlicht 15.10.2025 07:56:03
Zuletzt bearbeitet 16.10.2025 15:29:11
Quelle 416baaa9-dc9f-4396-8d5f-8c081f
CVE-Watchlists
Login
Unerledigt
Login

In the Linux kernel, the following vulnerability has been resolved:

net: tun: Update napi->skb after XDP process

The syzbot report a UAF issue:

  BUG: KASAN: slab-use-after-free in skb_reset_mac_header include/linux/skbuff.h:3150 [inline]
  BUG: KASAN: slab-use-after-free in napi_frags_skb net/core/gro.c:723 [inline]
  BUG: KASAN: slab-use-after-free in napi_gro_frags+0x6e/0x1030 net/core/gro.c:758
  Read of size 8 at addr ffff88802ef22c18 by task syz.0.17/6079
  CPU: 0 UID: 0 PID: 6079 Comm: syz.0.17 Not tainted syzkaller #0 PREEMPT(full)
  Call Trace:
   <TASK>
   dump_stack_lvl+0x189/0x250 lib/dump_stack.c:120
   print_address_description mm/kasan/report.c:378 [inline]
   print_report+0xca/0x240 mm/kasan/report.c:482
   kasan_report+0x118/0x150 mm/kasan/report.c:595
   skb_reset_mac_header include/linux/skbuff.h:3150 [inline]
   napi_frags_skb net/core/gro.c:723 [inline]
   napi_gro_frags+0x6e/0x1030 net/core/gro.c:758
   tun_get_user+0x28cb/0x3e20 drivers/net/tun.c:1920
   tun_chr_write_iter+0x113/0x200 drivers/net/tun.c:1996
   new_sync_write fs/read_write.c:593 [inline]
   vfs_write+0x5c9/0xb30 fs/read_write.c:686
   ksys_write+0x145/0x250 fs/read_write.c:738
   do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
   do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94
   entry_SYSCALL_64_after_hwframe+0x77/0x7f
   </TASK>

  Allocated by task 6079:
   kasan_save_stack mm/kasan/common.c:47 [inline]
   kasan_save_track+0x3e/0x80 mm/kasan/common.c:68
   unpoison_slab_object mm/kasan/common.c:330 [inline]
   __kasan_mempool_unpoison_object+0xa0/0x170 mm/kasan/common.c:558
   kasan_mempool_unpoison_object include/linux/kasan.h:388 [inline]
   napi_skb_cache_get+0x37b/0x6d0 net/core/skbuff.c:295
   __alloc_skb+0x11e/0x2d0 net/core/skbuff.c:657
   napi_alloc_skb+0x84/0x7d0 net/core/skbuff.c:811
   napi_get_frags+0x69/0x140 net/core/gro.c:673
   tun_napi_alloc_frags drivers/net/tun.c:1404 [inline]
   tun_get_user+0x77c/0x3e20 drivers/net/tun.c:1784
   tun_chr_write_iter+0x113/0x200 drivers/net/tun.c:1996
   new_sync_write fs/read_write.c:593 [inline]
   vfs_write+0x5c9/0xb30 fs/read_write.c:686
   ksys_write+0x145/0x250 fs/read_write.c:738
   do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
   do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94
   entry_SYSCALL_64_after_hwframe+0x77/0x7f

  Freed by task 6079:
   kasan_save_stack mm/kasan/common.c:47 [inline]
   kasan_save_track+0x3e/0x80 mm/kasan/common.c:68
   kasan_save_free_info+0x46/0x50 mm/kasan/generic.c:576
   poison_slab_object mm/kasan/common.c:243 [inline]
   __kasan_slab_free+0x5b/0x80 mm/kasan/common.c:275
   kasan_slab_free include/linux/kasan.h:233 [inline]
   slab_free_hook mm/slub.c:2422 [inline]
   slab_free mm/slub.c:4695 [inline]
   kmem_cache_free+0x18f/0x400 mm/slub.c:4797
   skb_pp_cow_data+0xdd8/0x13e0 net/core/skbuff.c:969
   netif_skb_check_for_xdp net/core/dev.c:5390 [inline]
   netif_receive_generic_xdp net/core/dev.c:5431 [inline]
   do_xdp_generic+0x699/0x11a0 net/core/dev.c:5499
   tun_get_user+0x2523/0x3e20 drivers/net/tun.c:1872
   tun_chr_write_iter+0x113/0x200 drivers/net/tun.c:1996
   new_sync_write fs/read_write.c:593 [inline]
   vfs_write+0x5c9/0xb30 fs/read_write.c:686
   ksys_write+0x145/0x250 fs/read_write.c:738
   do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
   do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94
   entry_SYSCALL_64_after_hwframe+0x77/0x7f

After commit e6d5dbdd20aa ("xdp: add multi-buff support for xdp running in
generic mode"), the original skb may be freed in skb_pp_cow_data() when
XDP program was attached, which was allocated in tun_napi_alloc_frags().
However, the napi->skb still point to the original skb, update it after
XDP process.

Betroffene Produkte Warnungen 0 Metriken 1 CWE 0 Referenzen 6

Verknüpft mit AI von unstrukturierten Daten zu bestehenden CPE der NVD

Diese Information steht angemeldeten Benutzern zur Verfügung.

Daten sind bereitgestellt durch das CVE Programm von einer CVE Numbering Authority (CNA) (Unstrukturiert).

HerstellerLinux

≫

Produkt Linux

Default Statusunaffected

Version < 953200d56fc23eebf80a5ad9eed6e2e8a3065093

Version e6d5dbdd20aa6a86974af51deb9414cd2e7794cb

Status affected

Version < 1697577e1669b0321d02cd848384a5d33e284296

Version e6d5dbdd20aa6a86974af51deb9414cd2e7794cb

Status affected

Version < 1091860a16a86ccdd77c09f2b21a5f634f5ab9ec

Version e6d5dbdd20aa6a86974af51deb9414cd2e7794cb

Status affected

HerstellerLinux

≫

Produkt Linux

Default Statusaffected

Version 6.9

Status affected

Version < 6.9

Version 0

Status unaffected

Version <= 6.12.*

Version 6.12.50

Status unaffected

Version <= 6.16.*

Version 6.16.10

Status unaffected

Version <= *

Version 6.17

Status unaffected

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.02%	0.053

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String

https://git.kernel.org/stable/c/953200d56fc23eebf80a5ad9eed6e2e8a3065093

https://git.kernel.org/stable/c/1697577e1669b0321d02cd848384a5d33e284296

https://git.kernel.org/stable/c/1091860a16a86ccdd77c09f2b21a5f634f5ab9ec

https://nvd.nist.gov/vuln/detail/CVE-2025-39984

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2025-39984

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2025-39984

EUVD