| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <2026011340-CVE-2025-71086-18be@gregkh> Date: Tue, 13 Jan 2026 16:35:45 +0100 From: Greg Kroah-Hartman <gregkh@...uxfoundation.org> To: linux-cve-announce@...r.kernel.org Cc: Greg Kroah-Hartman <gregkh@...nel.org> Subject: CVE-2025-71086: net: rose: fix invalid array index in rose_kill_by_device() From: Greg Kroah-Hartman <gregkh@...nel.org> Description =========== In the Linux kernel, the following vulnerability has been resolved: net: rose: fix invalid array index in rose_kill_by_device() rose_kill_by_device() collects sockets into a local array[] and then iterates over them to disconnect sockets bound to a device being brought down. The loop mistakenly indexes array[cnt] instead of array[i]. For cnt < ARRAY_SIZE(array), this reads an uninitialized entry; for cnt == ARRAY_SIZE(array), it is an out-of-bounds read. Either case can lead to an invalid socket pointer dereference and also leaks references taken via sock_hold(). Fix the index to use i. The Linux kernel CVE team has assigned CVE-2025-71086 to this issue. Affected and fixed versions =========================== Issue introduced in 6.1.70 with commit 3e0d1585799d8a991eba9678f297fd78d9f1846e and fixed in 6.1.160 with commit 1418c12cd3bba79dc56b57b61c99efe40f579981 Issue introduced in 6.6.9 with commit ffced26692f83212aa09d0ece0213b23cc2f611d and fixed in 6.6.120 with commit 9f6185a32496834d6980b168cffcccc2d6b17280 Issue introduced in 6.7 with commit 64b8bc7d5f1434c636a40bdcfcd42b278d1714be and fixed in 6.12.64 with commit b409ba9e1e63ccf3ab4cc061e33c1f804183543e Issue introduced in 6.7 with commit 64b8bc7d5f1434c636a40bdcfcd42b278d1714be and fixed in 6.18.4 with commit 92d900aac3a5721fb54f3328f1e089b44a861c38 Issue introduced in 6.7 with commit 64b8bc7d5f1434c636a40bdcfcd42b278d1714be and fixed in 6.19-rc4 with commit 6595beb40fb0ec47223d3f6058ee40354694c8e4 Issue introduced in 4.19.304 with commit bd7de4734535140fda33240c2335a07fdab6f88e Issue introduced in 5.4.266 with commit b10265532df7bc3666bc53261b7f03f0fd14b1c9 Issue introduced in 5.10.206 with commit 12e5a4719c99d7f4104e7e962393dfb8baa1c591 Issue introduced in 5.15.146 with commit c0e527c532a07556ca44642f5873b002c44da22c Please see https://www.kernel.org for a full list of currently supported kernel versions by the kernel community. Unaffected versions might change over time as fixes are backported to older supported kernel versions. The official CVE entry at https://cve.org/CVERecord/?id=CVE-2025-71086 will be updated if fixes are backported, please check that for the most up to date information about this issue. Affected files ============== The file(s) affected by this issue are: net/rose/af_rose.c Mitigation ========== The Linux kernel CVE team recommends that you update to the latest stable kernel version for this, and many other bugfixes. Individual changes are never tested alone, but rather are part of a larger kernel release. Cherry-picking individual commits is not recommended or supported by the Linux kernel community at all. If however, updating to the latest release is impossible, the individual changes to resolve this issue can be found at these commits: https://git.kernel.org/stable/c/1418c12cd3bba79dc56b57b61c99efe40f579981 https://git.kernel.org/stable/c/9f6185a32496834d6980b168cffcccc2d6b17280 https://git.kernel.org/stable/c/b409ba9e1e63ccf3ab4cc061e33c1f804183543e https://git.kernel.org/stable/c/92d900aac3a5721fb54f3328f1e089b44a861c38 https://git.kernel.org/stable/c/6595beb40fb0ec47223d3f6058ee40354694c8e4
Powered by blists - more mailing lists