| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <2025091904-CVE-2025-39848-7675@gregkh>
Date: Fri, 19 Sep 2025 17:28:12 +0200
From: Greg Kroah-Hartman <gregkh@...uxfoundation.org>
To: linux-cve-announce@...r.kernel.org
Cc: Greg Kroah-Hartman <gregkh@...nel.org>
Subject: CVE-2025-39848: ax25: properly unshare skbs in ax25_kiss_rcv()
From: Greg Kroah-Hartman <gregkh@...nel.org>
Description
===========
In the Linux kernel, the following vulnerability has been resolved:
ax25: properly unshare skbs in ax25_kiss_rcv()
Bernard Pidoux reported a regression apparently caused by commit
c353e8983e0d ("net: introduce per netns packet chains").
skb->dev becomes NULL and we crash in __netif_receive_skb_core().
Before above commit, different kind of bugs or corruptions could happen
without a major crash.
But the root cause is that ax25_kiss_rcv() can queue/mangle input skb
without checking if this skb is shared or not.
Many thanks to Bernard Pidoux for his help, diagnosis and tests.
We had a similar issue years ago fixed with commit 7aaed57c5c28
("phonet: properly unshare skbs in phonet_rcv()").
The Linux kernel CVE team has assigned CVE-2025-39848 to this issue.
Affected and fixed versions
===========================
Issue introduced in 2.6.12 with commit 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 and fixed in 5.4.299 with commit 42b46684e2c78ee052d8c2ee8d9c2089233c9094
Issue introduced in 2.6.12 with commit 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 and fixed in 5.10.243 with commit 5b079be1b9da49ad88fc304c874d4be7085f7883
Issue introduced in 2.6.12 with commit 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 and fixed in 5.15.192 with commit 2bd0f67212908243ce88e35bf69fa77155b47b14
Issue introduced in 2.6.12 with commit 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 and fixed in 6.1.151 with commit 01a2984cb803f2d487b7074f9718db2bf3531f69
Issue introduced in 2.6.12 with commit 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 and fixed in 6.6.105 with commit 7d449b7a6c8ee434d10a483feed7c5c50108cf56
Issue introduced in 2.6.12 with commit 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 and fixed in 6.12.46 with commit 89064cf534bea4bb28c83fe6bbb26657b19dd5fe
Issue introduced in 2.6.12 with commit 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 and fixed in 6.16.6 with commit b1c71d674a308d2fbc83efcf88bfc4217a86aa17
Issue introduced in 2.6.12 with commit 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 and fixed in 6.17-rc5 with commit 8156210d36a43e76372312c87eb5ea3dbb405a85
Please see https://www.kernel.org for a full list of currently supported
kernel versions by the kernel community.
Unaffected versions might change over time as fixes are backported to
older supported kernel versions. The official CVE entry at
https://cve.org/CVERecord/?id=CVE-2025-39848
will be updated if fixes are backported, please check that for the most
up to date information about this issue.
Affected files
==============
The file(s) affected by this issue are:
net/ax25/ax25_in.c
Mitigation
==========
The Linux kernel CVE team recommends that you update to the latest
stable kernel version for this, and many other bugfixes. Individual
changes are never tested alone, but rather are part of a larger kernel
release. Cherry-picking individual commits is not recommended or
supported by the Linux kernel community at all. If however, updating to
the latest release is impossible, the individual changes to resolve this
issue can be found at these commits:
https://git.kernel.org/stable/c/42b46684e2c78ee052d8c2ee8d9c2089233c9094
https://git.kernel.org/stable/c/5b079be1b9da49ad88fc304c874d4be7085f7883
https://git.kernel.org/stable/c/2bd0f67212908243ce88e35bf69fa77155b47b14
https://git.kernel.org/stable/c/01a2984cb803f2d487b7074f9718db2bf3531f69
https://git.kernel.org/stable/c/7d449b7a6c8ee434d10a483feed7c5c50108cf56
https://git.kernel.org/stable/c/89064cf534bea4bb28c83fe6bbb26657b19dd5fe
https://git.kernel.org/stable/c/b1c71d674a308d2fbc83efcf88bfc4217a86aa17
https://git.kernel.org/stable/c/8156210d36a43e76372312c87eb5ea3dbb405a85
Powered by blists - more mailing lists