| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <2025081916-CVE-2025-38588-cb2d@gregkh>
Date: Tue, 19 Aug 2025 19:18:34 +0200
From: Greg Kroah-Hartman <gregkh@...uxfoundation.org>
To: linux-cve-announce@...r.kernel.org
Cc: Greg Kroah-Hartman <gregkh@...nel.org>
Subject: CVE-2025-38588: ipv6: prevent infinite loop in rt6_nlmsg_size()
From: Greg Kroah-Hartman <gregkh@...nel.org>
Description
===========
In the Linux kernel, the following vulnerability has been resolved:
ipv6: prevent infinite loop in rt6_nlmsg_size()
While testing prior patch, I was able to trigger
an infinite loop in rt6_nlmsg_size() in the following place:
list_for_each_entry_rcu(sibling, &f6i->fib6_siblings,
fib6_siblings) {
rt6_nh_nlmsg_size(sibling->fib6_nh, &nexthop_len);
}
This is because fib6_del_route() and fib6_add_rt2node()
uses list_del_rcu(), which can confuse rcu readers,
because they might no longer see the head of the list.
Restart the loop if f6i->fib6_nsiblings is zero.
The Linux kernel CVE team has assigned CVE-2025-38588 to this issue.
Affected and fixed versions
===========================
Issue introduced in 6.1.128 with commit d0ec61c9f3583b76aebdbb271f5c0d3fcccd48b2 and fixed in 6.1.148 with commit 6d345136c9b875f065d226908a29c25cdf9343f8
Issue introduced in 6.6.75 with commit 52da02521ede55fb86546c3fffd9377b3261b91f and fixed in 6.6.102 with commit e1b7932af47f92432be8303d2439d1bf77b0be23
Issue introduced in 6.12.2 with commit 34a949e7a0869dfa31a40416d2a56973fae1807b and fixed in 6.12.42 with commit cd8d8bbd9ced4cc5d06d858f67d4aa87745e8f38
Issue introduced in 6.13 with commit d9ccb18f83ea2bb654289b6ecf014fd267cc988b and fixed in 6.15.10 with commit 3c13db3e47e170bab19e574404e7b6be45ea873d
Issue introduced in 6.13 with commit d9ccb18f83ea2bb654289b6ecf014fd267cc988b and fixed in 6.16.1 with commit 46aeb66e9e54ed0d56c18615e1c3dbd502b327ab
Issue introduced in 6.13 with commit d9ccb18f83ea2bb654289b6ecf014fd267cc988b and fixed in 6.17-rc1 with commit 54e6fe9dd3b0e7c481c2228782c9494d653546da
Issue introduced in 6.11.11 with commit 11edcd026012ac18acee0f1514db3ed1b160fc6f
Please see https://www.kernel.org for a full list of currently supported
kernel versions by the kernel community.
Unaffected versions might change over time as fixes are backported to
older supported kernel versions. The official CVE entry at
https://cve.org/CVERecord/?id=CVE-2025-38588
will be updated if fixes are backported, please check that for the most
up to date information about this issue.
Affected files
==============
The file(s) affected by this issue are:
net/ipv6/ip6_fib.c
net/ipv6/route.c
Mitigation
==========
The Linux kernel CVE team recommends that you update to the latest
stable kernel version for this, and many other bugfixes. Individual
changes are never tested alone, but rather are part of a larger kernel
release. Cherry-picking individual commits is not recommended or
supported by the Linux kernel community at all. If however, updating to
the latest release is impossible, the individual changes to resolve this
issue can be found at these commits:
https://git.kernel.org/stable/c/6d345136c9b875f065d226908a29c25cdf9343f8
https://git.kernel.org/stable/c/e1b7932af47f92432be8303d2439d1bf77b0be23
https://git.kernel.org/stable/c/cd8d8bbd9ced4cc5d06d858f67d4aa87745e8f38
https://git.kernel.org/stable/c/3c13db3e47e170bab19e574404e7b6be45ea873d
https://git.kernel.org/stable/c/46aeb66e9e54ed0d56c18615e1c3dbd502b327ab
https://git.kernel.org/stable/c/54e6fe9dd3b0e7c481c2228782c9494d653546da
Powered by blists - more mailing lists