| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <2025022604-CVE-2025-21762-8b8d@gregkh> Date: Wed, 26 Feb 2025 18:17:18 -0800 From: Greg Kroah-Hartman <gregkh@...uxfoundation.org> To: linux-cve-announce@...r.kernel.org Cc: Greg Kroah-Hartman <gregkh@...uxfoundation.org> Subject: CVE-2025-21762: arp: use RCU protection in arp_xmit() Description =========== In the Linux kernel, the following vulnerability has been resolved: arp: use RCU protection in arp_xmit() arp_xmit() can be called without RTNL or RCU protection. Use RCU protection to avoid potential UAF. The Linux kernel CVE team has assigned CVE-2025-21762 to this issue. Affected and fixed versions =========================== Issue introduced in 4.4 with commit 29a26a56803855a79dbd028cd61abee56237d6e5 and fixed in 6.1.129 with commit f189654459423d4d48bef2d120b4bfba559e6039 Issue introduced in 4.4 with commit 29a26a56803855a79dbd028cd61abee56237d6e5 and fixed in 6.6.79 with commit e9f4dee534eb1b225b0a120395ad9bc2afe164d3 Issue introduced in 4.4 with commit 29a26a56803855a79dbd028cd61abee56237d6e5 and fixed in 6.12.16 with commit 01d1b5c9abcaff29a43f1d17a19c33eec92c7dbe Issue introduced in 4.4 with commit 29a26a56803855a79dbd028cd61abee56237d6e5 and fixed in 6.13.4 with commit 2c331718d3389b6c5f6855078ab7171849e016bd Issue introduced in 4.4 with commit 29a26a56803855a79dbd028cd61abee56237d6e5 and fixed in 6.14-rc3 with commit a42b69f692165ec39db42d595f4f65a4c8f42e44 Please see https://www.kernel.org for a full list of currently supported kernel versions by the kernel community. Unaffected versions might change over time as fixes are backported to older supported kernel versions. The official CVE entry at https://cve.org/CVERecord/?id=CVE-2025-21762 will be updated if fixes are backported, please check that for the most up to date information about this issue. Affected files ============== The file(s) affected by this issue are: net/ipv4/arp.c Mitigation ========== The Linux kernel CVE team recommends that you update to the latest stable kernel version for this, and many other bugfixes. Individual changes are never tested alone, but rather are part of a larger kernel release. Cherry-picking individual commits is not recommended or supported by the Linux kernel community at all. If however, updating to the latest release is impossible, the individual changes to resolve this issue can be found at these commits: https://git.kernel.org/stable/c/f189654459423d4d48bef2d120b4bfba559e6039 https://git.kernel.org/stable/c/e9f4dee534eb1b225b0a120395ad9bc2afe164d3 https://git.kernel.org/stable/c/01d1b5c9abcaff29a43f1d17a19c33eec92c7dbe https://git.kernel.org/stable/c/2c331718d3389b6c5f6855078ab7171849e016bd https://git.kernel.org/stable/c/a42b69f692165ec39db42d595f4f65a4c8f42e44
Powered by blists - more mailing lists