| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <2025022605-CVE-2025-21766-a004@gregkh> Date: Wed, 26 Feb 2025 18:17:22 -0800 From: Greg Kroah-Hartman <gregkh@...uxfoundation.org> To: linux-cve-announce@...r.kernel.org Cc: Greg Kroah-Hartman <gregkh@...uxfoundation.org> Subject: CVE-2025-21766: ipv4: use RCU protection in __ip_rt_update_pmtu() Description =========== In the Linux kernel, the following vulnerability has been resolved: ipv4: use RCU protection in __ip_rt_update_pmtu() __ip_rt_update_pmtu() must use RCU protection to make sure the net structure it reads does not disappear. The Linux kernel CVE team has assigned CVE-2025-21766 to this issue. Affected and fixed versions =========================== Issue introduced in 5.9 with commit 2fbc6e89b2f1403189e624cabaf73e189c5e50c6 and fixed in 6.1.129 with commit ea07480b23225942208f1b754fea1e7ec486d37e Issue introduced in 5.9 with commit 2fbc6e89b2f1403189e624cabaf73e189c5e50c6 and fixed in 6.6.79 with commit 9b1766d1ff5fe496aabe9fc5f4e34e53f35c11c4 Issue introduced in 5.9 with commit 2fbc6e89b2f1403189e624cabaf73e189c5e50c6 and fixed in 6.12.16 with commit 4583748b65dee4d61bd50a2214715b4237bc152a Issue introduced in 5.9 with commit 2fbc6e89b2f1403189e624cabaf73e189c5e50c6 and fixed in 6.13.4 with commit a39f61d212d822b3062d7f70fa0588e50e55664e Issue introduced in 5.9 with commit 2fbc6e89b2f1403189e624cabaf73e189c5e50c6 and fixed in 6.14-rc3 with commit 139512191bd06f1b496117c76372b2ce372c9a41 Issue introduced in 4.14.200 with commit f415c264176e6095e9dee823e09c5bdd0ee0d337 Issue introduced in 4.19.148 with commit 98776a365da509ad923083ae54b38ee521c52742 Issue introduced in 5.4.68 with commit 860e2cc78c697c95bc749abb20047239fa1722ea Issue introduced in 5.8.12 with commit 2b1be6c925cdf4638811765a9160796291494b89 Please see https://www.kernel.org for a full list of currently supported kernel versions by the kernel community. Unaffected versions might change over time as fixes are backported to older supported kernel versions. The official CVE entry at https://cve.org/CVERecord/?id=CVE-2025-21766 will be updated if fixes are backported, please check that for the most up to date information about this issue. Affected files ============== The file(s) affected by this issue are: net/ipv4/route.c Mitigation ========== The Linux kernel CVE team recommends that you update to the latest stable kernel version for this, and many other bugfixes. Individual changes are never tested alone, but rather are part of a larger kernel release. Cherry-picking individual commits is not recommended or supported by the Linux kernel community at all. If however, updating to the latest release is impossible, the individual changes to resolve this issue can be found at these commits: https://git.kernel.org/stable/c/ea07480b23225942208f1b754fea1e7ec486d37e https://git.kernel.org/stable/c/9b1766d1ff5fe496aabe9fc5f4e34e53f35c11c4 https://git.kernel.org/stable/c/4583748b65dee4d61bd50a2214715b4237bc152a https://git.kernel.org/stable/c/a39f61d212d822b3062d7f70fa0588e50e55664e https://git.kernel.org/stable/c/139512191bd06f1b496117c76372b2ce372c9a41
Powered by blists - more mailing lists