CVE-2025-38589

{"id": "CVE-2025-38589", "cveTags": [], "metrics": {}, "published": "2025-08-19T17:15:36.520", "references": [{"url": "https://git.kernel.org/stable/c/1bbb76a899486827394530916f01214d049931b3", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/47fbd7f8df19bdfbe334ee83f35568c9a29221ae", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/d9c4328795697ebc392a63fece3901999c09cddd", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}], "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nneighbour: Fix null-ptr-deref in neigh_flush_dev().\n\nkernel test robot reported null-ptr-deref in neigh_flush_dev(). [0]\n\nThe cited commit introduced per-netdev neighbour list and converted\nneigh_flush_dev() to use it instead of the global hash table.\n\nOne thing we missed is that neigh_table_clear() calls neigh_ifdown()\nwith NULL dev.\n\nLet's restore the hash table iteration.\n\nNote that IPv6 module is no longer unloadable, so neigh_table_clear()\nis called only when IPv6 fails to initialise, which is unlikely to\nhappen.\n\n[0]:\nIPv6: Attempt to unregister permanent protocol 136\nIPv6: Attempt to unregister permanent protocol 17\nOops: general protection fault, probably for non-canonical address 0xdffffc00000001a0: 0000 [#1] SMP KASAN\nKASAN: null-ptr-deref in range [0x0000000000000d00-0x0000000000000d07]\nCPU: 1 UID: 0 PID: 1 Comm: systemd Tainted: G T 6.12.0-rc6-01246-gf7f52738637f #1\nTainted: [T]=RANDSTRUCT\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.2-debian-1.16.2-1 04/01/2014\nRIP: 0010:neigh_flush_dev.llvm.6395807810224103582+0x52/0x570\nCode: c1 e8 03 42 8a 04 38 84 c0 0f 85 15 05 00 00 31 c0 41 83 3e 0a 0f 94 c0 48 8d 1c c3 48 81 c3 f8 0c 00 00 48 89 d8 48 c1 e8 03 <42> 80 3c 38 00 74 08 48 89 df e8 f7 49 93 fe 4c 8b 3b 4d 85 ff 0f\nRSP: 0000:ffff88810026f408 EFLAGS: 00010206\nRAX: 00000000000001a0 RBX: 0000000000000d00 RCX: 0000000000000000\nRDX: 0000000000000000 RSI: 0000000000000000 RDI: ffffffffc0631640\nRBP: ffff88810026f470 R08: 0000000000000000 R09: 0000000000000000\nR10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000\nR13: ffffffffc0625250 R14: ffffffffc0631640 R15: dffffc0000000000\nFS: 00007f575cb83940(0000) GS:ffff8883aee00000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00007f575db40008 CR3: 00000002bf936000 CR4: 00000000000406f0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nCall Trace:\n <TASK>\n __neigh_ifdown.llvm.6395807810224103582+0x44/0x390\n neigh_table_clear+0xb1/0x268\n ndisc_cleanup+0x21/0x38 [ipv6]\n init_module+0x2f5/0x468 [ipv6]\n do_one_initcall+0x1ba/0x628\n do_init_module+0x21a/0x530\n load_module+0x2550/0x2ea0\n __se_sys_finit_module+0x3d2/0x620\n __x64_sys_finit_module+0x76/0x88\n x64_sys_call+0x7ff/0xde8\n do_syscall_64+0xfb/0x1e8\n entry_SYSCALL_64_after_hwframe+0x67/0x6f\nRIP: 0033:0x7f575d6f2719\nCode: 08 89 e8 5b 5d c3 66 2e 0f 1f 84 00 00 00 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d b7 06 0d 00 f7 d8 64 89 01 48\nRSP: 002b:00007fff82a2a268 EFLAGS: 00000246 ORIG_RAX: 0000000000000139\nRAX: ffffffffffffffda RBX: 0000557827b45310 RCX: 00007f575d6f2719\nRDX: 0000000000000000 RSI: 00007f575d584efd RDI: 0000000000000004\nRBP: 00007f575d584efd R08: 0000000000000000 R09: 0000557827b47b00\nR10: 0000000000000004 R11: 0000000000000246 R12: 0000000000020000\nR13: 0000000000000000 R14: 0000557827b470e0 R15: 00007f575dbb4270\n </TASK>\nModules linked in: ipv6(+)"}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: neighbor: Se corrigi\u00f3 null-ptr-deref en neigh_flush_dev(). El robot de pruebas del kernel report\u00f3 null-ptr-deref en neigh_flush_dev(). [0] La confirmaci\u00f3n citada introdujo una lista de vecinos por netdev y convirti\u00f3 neigh_flush_dev() para usarla en lugar de la tabla hash global. Un aspecto que pasamos por alto es que neigh_table_clear() llama a neigh_ifdown() con NULL dev. Restablezcamos la iteraci\u00f3n de la tabla hash. Tenga en cuenta que el m\u00f3dulo IPv6 ya no se puede descargar, por lo que neigh_table_clear() solo se llama cuando IPv6 no se inicializa, lo cual es improbable. [0]: IPv6: Intento de anular el registro del protocolo permanente 136 IPv6: Intento de anular el registro del protocolo permanente 17 Ups: fallo de protecci\u00f3n general, probablemente para la direcci\u00f3n no can\u00f3nica 0xdffffc00000001a0: 0000 [#1] SMP KASAN KASAN: null-ptr-deref en el rango [0x000000000000d00-0x0000000000000d07] CPU: 1 UID: 0 PID: 1 Comm: systemd Contaminado: GT 6.12.0-rc6-01246-gf7f52738637f #1 Contaminado: [T]=RANDSTRUCT Nombre del hardware: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.2-debian-1.16.2-1 01/04/2014 RIP: 0010:neigh_flush_dev.llvm.6395807810224103582+0x52/0x570 C\u00f3digo: c1 e8 03 42 8a 04 38 84 c0 0f 85 15 05 00 00 31 c0 41 83 3e 0a 0f 94 c0 48 8d 1c c3 48 81 c3 f8 0c 00 00 48 89 d8 48 c1 e8 03 &lt;42&gt; 80 3c 38 00 74 08 48 89 df e8 f7 49 93 fe 4c 8b 3b 4d 85 y siguientes 0f RSP: 0000:ffff88810026f408 EFLAGS: 00010206 RAX: 00000000000001a0 RBX: 00000000000000d00 RCX: 0000000000000000 RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffffffffc0631640 RBP: ffff88810026f470 R08: 0000000000000000 R09: 0000000000000000 R10: 00000000000000000 R11: 0000000000000000 R12: 0000000000000000 R13: fffffffc0625250 R14: fffffffc0631640 R15: dffffc0000000000 FS: 00007f575cb83940(0000) GS:ffff8883aee00000(0000) knlGS:000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f575db40008 CR3: 00000002bf936000 CR4: 000000000000406f0 DR0: 00000000000000000 DR1: 00000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Rastreo de llamadas: __neigh_ifdown.llvm.6395807810224103582+0x44/0x390 neigh_table_clear+0xb1/0x268 ndisc_cleanup+0x21/0x38 [ipv6] init_module+0x2f5/0x468 [ipv6] do_one_initcall+0x1ba/0x628 do_init_module+0x21a/0x530 load_module+0x2550/0x2ea0 __se_sys_finit_module+0x3d2/0x620 __x64_sys_finit_module+0x76/0x88 x64_sys_call+0x7ff/0xde8 do_syscall_64+0xfb/0x1e8 entry_SYSCALL_64_after_hwframe+0x67/0x6f RIP: 0033:0x7f575d6f2719 Code: 08 89 e8 5b 5d c3 66 2e 0f 1f 84 00 00 00 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 &lt;48&gt; 3d 01 f0 ff ff 73 01 c3 48 8b 0d b7 06 0d 00 f7 d8 64 89 01 48 RSP: 002b:00007fff82a2a268 EFLAGS: 00000246 ORIG_RAX: 0000000000000139 RAX: ffffffffffffffda RBX: 0000557827b45310 RCX: 00007f575d6f2719 RDX: 0000000000000000 RSI: 00007f575d584efd RDI: 0000000000000004 RBP: 00007f575d584efd R08: 0000000000000000 R09: 0000557827b47b00 R10: 0000000000000004 R11: 0000000000000246 R12: 0000000000020000 R13: 0000000000000000 R14: 0000557827b470e0 R15: 00007f575dbb4270 M\u00f3dulos vinculados en: ipv6(+)"}], "lastModified": "2025-08-20T14:40:17.713", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}