| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <2026013134-CVE-2025-71182-54d0@gregkh>
Date: Sat, 31 Jan 2026 12:39:33 +0100
From: Greg Kroah-Hartman <gregkh@...uxfoundation.org>
To: linux-cve-announce@...r.kernel.org
Cc: Greg Kroah-Hartman <gregkh@...nel.org>
Subject: CVE-2025-71182: can: j1939: make j1939_session_activate() fail if device is no longer registered
From: Greg Kroah-Hartman <gregkh@...nel.org>
Description
===========
In the Linux kernel, the following vulnerability has been resolved:
can: j1939: make j1939_session_activate() fail if device is no longer registered
syzbot is still reporting
unregister_netdevice: waiting for vcan0 to become free. Usage count = 2
even after commit 93a27b5891b8 ("can: j1939: add missing calls in
NETDEV_UNREGISTER notification handler") was added. A debug printk() patch
found that j1939_session_activate() can succeed even after
j1939_cancel_active_session() from j1939_netdev_notify(NETDEV_UNREGISTER)
has completed.
Since j1939_cancel_active_session() is processed with the session list lock
held, checking ndev->reg_state in j1939_session_activate() with the session
list lock held can reliably close the race window.
The Linux kernel CVE team has assigned CVE-2025-71182 to this issue.
Affected and fixed versions
===========================
Fixed in 5.10.248 with commit ebb0dfd718dd31c8d3600612ca4b7207ec3d923a
Fixed in 5.15.198 with commit c3a4316e3c746af415c0fd6c6d489ad13f53714d
Fixed in 6.1.161 with commit 46ca9dc978923c5e1247a9e9519240ba7ace413c
Fixed in 6.6.121 with commit 78d87b72cebe2a993fd5b017e9f14fb6278f2eae
Fixed in 6.12.66 with commit ba6f0d1832eeb5eb3a6dc5cb30e0f720b3cb3536
Fixed in 6.18.6 with commit 79dd3f1d9dd310c2af89b09c71f34d93973b200f
Fixed in 6.19-rc2 with commit 5d5602236f5db19e8b337a2cd87a90ace5ea776d
Please see https://www.kernel.org for a full list of currently supported
kernel versions by the kernel community.
Unaffected versions might change over time as fixes are backported to
older supported kernel versions. The official CVE entry at
https://cve.org/CVERecord/?id=CVE-2025-71182
will be updated if fixes are backported, please check that for the most
up to date information about this issue.
Affected files
==============
The file(s) affected by this issue are:
net/can/j1939/transport.c
Mitigation
==========
The Linux kernel CVE team recommends that you update to the latest
stable kernel version for this, and many other bugfixes. Individual
changes are never tested alone, but rather are part of a larger kernel
release. Cherry-picking individual commits is not recommended or
supported by the Linux kernel community at all. If however, updating to
the latest release is impossible, the individual changes to resolve this
issue can be found at these commits:
https://git.kernel.org/stable/c/ebb0dfd718dd31c8d3600612ca4b7207ec3d923a
https://git.kernel.org/stable/c/c3a4316e3c746af415c0fd6c6d489ad13f53714d
https://git.kernel.org/stable/c/46ca9dc978923c5e1247a9e9519240ba7ace413c
https://git.kernel.org/stable/c/78d87b72cebe2a993fd5b017e9f14fb6278f2eae
https://git.kernel.org/stable/c/ba6f0d1832eeb5eb3a6dc5cb30e0f720b3cb3536
https://git.kernel.org/stable/c/79dd3f1d9dd310c2af89b09c71f34d93973b200f
https://git.kernel.org/stable/c/5d5602236f5db19e8b337a2cd87a90ace5ea776d
Powered by blists - more mailing lists