CVE-2025-38377

HIGH EPSS 6.0%
Published Jul 25, 202511mo ago · Modified Jun 17, 20262w ago
7.8 CVSS 3.1
High
Find Similar
Published Jul 25, 2025 11mo ago
Last Modified Jun 17, 2026 2w ago

Description

In the Linux kernel, the following vulnerability has been resolved: rose: fix dangling neighbour pointers in rose_rt_device_down() There are two bugs in rose_rt_device_down() that can cause use-after-free: 1. The loop bound `t->count` is modified within the loop, which can cause the loop to terminate early and miss some entries. 2. When removing an entry from the neighbour array, the subsequent entries are moved up to fill the gap, but the loop index `i` is still incremented, causing the next entry to be skipped. For example, if a node has three neighbours (A, A, B) with count=3 and A is being removed, the second A is not checked. i=0: (A, A, B) -> (A, B) with count=2 ^ checked i=1: (A, B) -> (A, B) with count=2 ^ checked (B, not A!) i=2: (doesn't occur because i < count is false) This leaves the second A in the array with count=2, but the rose_neigh structure has been freed. Code that accesses these entries assumes that the first `count` entries are valid pointers, causing a use-after-free when it accesses the dangling pointer. Fix both issues by iterating over the array in reverse order with a fixed loop bound. This ensures that all entries are examined and that the removal of an entry doesn't affect subsequent iterations.

CVSS Details

Base Score
7.8
Exploitability
1.8
Impact
5.9
Vector string
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector Local
Attack Complexity Low
Privileges Required Low
User Interaction None
Scope Unchanged
Confidentiality High
Integrity High
Availability High

Threat Intelligence

EPSS Exploit Probability
6.0% percentile
Exploit & Patch Status
No Known Exploit
Patch Available

Weaknesses 1

CWE-416 Use After Free Memory Safety

Affected Products 17

VendorProductVersionRange
linuxlinux_kernel*≥2.6.13  –  <5.4.296
linuxlinux_kernel*≥5.5  –  <5.10.240
linuxlinux_kernel*≥5.11  –  <5.15.187
linuxlinux_kernel*≥5.16  –  <6.1.144
linuxlinux_kernel*≥6.2  –  <6.6.97
linuxlinux_kernel*≥6.7  –  <6.12.37
linuxlinux_kernel*≥6.13  –  <6.15.6
linuxlinux_kernel2.6.12any
linuxlinux_kernel2.6.12any
linuxlinux_kernel2.6.12any
linuxlinux_kernel2.6.12any
linuxlinux_kernel2.6.12any
linuxlinux_kernel6.16any
linuxlinux_kernel6.16any
linuxlinux_kernel6.16any
linuxlinux_kernel6.16any
debiandebian_linux11.0any

References 10

  • git.kernel.org https://git.kernel.org/stable/c/2b952dbb32fef835756f07ff0cd77efbb836dfea
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/2c6c82ee074bfcfd1bc978ec45bfea37703d840a
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/34a500caf48c47d5171f4aa1f237da39b07c6157
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/446ac00b86be1670838e513b643933d78837d8db
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/7a1841c9609377e989ec41c16551309ce79c39e4
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/94e0918e39039c47ddceb609500817f7266be756
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/b6b232e16e08c6dc120672b4753392df0d28c1b4
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/fe62a35fb1f77f494ed534fc69a9043dc5a30ce1
    Patch
  • lists.debian.org https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html
    Mailing ListThird Party Advisory
  • lists.debian.org https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html
    Mailing ListThird Party Advisory

Remediation

  • git.kernel.org https://git.kernel.org/stable/c/2b952dbb32fef835756f07ff0cd77efbb836dfea
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/2c6c82ee074bfcfd1bc978ec45bfea37703d840a
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/34a500caf48c47d5171f4aa1f237da39b07c6157
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/446ac00b86be1670838e513b643933d78837d8db
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/7a1841c9609377e989ec41c16551309ce79c39e4
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/94e0918e39039c47ddceb609500817f7266be756
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/b6b232e16e08c6dc120672b4753392df0d28c1b4
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/fe62a35fb1f77f494ed534fc69a9043dc5a30ce1
    Patch