We use these services and cookies to improve your user experience. You may opt out if you wish, however, this may limit some features on this site.

Please see our statement on Data Privacy.

Crisp.chat (Helpdesk and Chat)

Ok

THREATINT
PUBLISHED

CVE-2025-38377

rose: fix dangling neighbour pointers in rose_rt_device_down()



Description

In the Linux kernel, the following vulnerability has been resolved: rose: fix dangling neighbour pointers in rose_rt_device_down() There are two bugs in rose_rt_device_down() that can cause use-after-free: 1. The loop bound `t->count` is modified within the loop, which can cause the loop to terminate early and miss some entries. 2. When removing an entry from the neighbour array, the subsequent entries are moved up to fill the gap, but the loop index `i` is still incremented, causing the next entry to be skipped. For example, if a node has three neighbours (A, A, B) with count=3 and A is being removed, the second A is not checked. i=0: (A, A, B) -> (A, B) with count=2 ^ checked i=1: (A, B) -> (A, B) with count=2 ^ checked (B, not A!) i=2: (doesn't occur because i < count is false) This leaves the second A in the array with count=2, but the rose_neigh structure has been freed. Code that accesses these entries assumes that the first `count` entries are valid pointers, causing a use-after-free when it accesses the dangling pointer. Fix both issues by iterating over the array in reverse order with a fixed loop bound. This ensures that all entries are examined and that the removal of an entry doesn't affect subsequent iterations.

Reserved 2025-04-16 | Published 2025-07-25 | Updated 2025-07-25 | Assigner Linux

Product status

Default status
unaffected

1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 before 94e0918e39039c47ddceb609500817f7266be756
affected

1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 before fe62a35fb1f77f494ed534fc69a9043dc5a30ce1
affected

1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 before 2b952dbb32fef835756f07ff0cd77efbb836dfea
affected

1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 before b6b232e16e08c6dc120672b4753392df0d28c1b4
affected

1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 before 7a1841c9609377e989ec41c16551309ce79c39e4
affected

1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 before 446ac00b86be1670838e513b643933d78837d8db
affected

1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 before 2c6c82ee074bfcfd1bc978ec45bfea37703d840a
affected

1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 before 34a500caf48c47d5171f4aa1f237da39b07c6157
affected

Default status
affected

2.6.12
affected

Any version before 2.6.12
unaffected

5.4.296
unaffected

5.10.240
unaffected

5.15.187
unaffected

6.1.144
unaffected

6.6.97
unaffected

6.12.37
unaffected

6.15.6
unaffected

6.16-rc5
unaffected

References

git.kernel.org/...c/94e0918e39039c47ddceb609500817f7266be756

git.kernel.org/...c/fe62a35fb1f77f494ed534fc69a9043dc5a30ce1

git.kernel.org/...c/2b952dbb32fef835756f07ff0cd77efbb836dfea

git.kernel.org/...c/b6b232e16e08c6dc120672b4753392df0d28c1b4

git.kernel.org/...c/7a1841c9609377e989ec41c16551309ce79c39e4

git.kernel.org/...c/446ac00b86be1670838e513b643933d78837d8db

git.kernel.org/...c/2c6c82ee074bfcfd1bc978ec45bfea37703d840a

git.kernel.org/...c/34a500caf48c47d5171f4aa1f237da39b07c6157

cve.org (CVE-2025-38377)

nvd.nist.gov (CVE-2025-38377)

Download JSON

Share this page
https://cve.threatint.eu/CVE/CVE-2025-38377

Support options

Helpdesk Chat, Email, Knowledgebase
© Copyright 2025 THREATINT
Made in Cyprus with +
 System status
Find us on
Data Privacy
Terms of Use
Logo BSI Allianz für Cyber-Sicherheit
Error loading Crisp.chat. Please check your web content filter and browser plugins.