{"id":"CVE-2025-22103","summary":"net: fix NULL pointer dereference in l3mdev_l3_rcv","details":"In the Linux kernel, the following vulnerability has been resolved:\n\nnet: fix NULL pointer dereference in l3mdev_l3_rcv\n\nWhen delete l3s ipvlan:\n\n    ip link del link eth0 ipvlan1 type ipvlan mode l3s\n\nThis may cause a null pointer dereference:\n\n    Call trace:\n     ip_rcv_finish+0x48/0xd0\n     ip_rcv+0x5c/0x100\n     __netif_receive_skb_one_core+0x64/0xb0\n     __netif_receive_skb+0x20/0x80\n     process_backlog+0xb4/0x204\n     napi_poll+0xe8/0x294\n     net_rx_action+0xd8/0x22c\n     __do_softirq+0x12c/0x354\n\nThis is because l3mdev_l3_rcv() visit dev-\u003el3mdev_ops after\nipvlan_l3s_unregister() assign the dev-\u003el3mdev_ops to NULL. The process\nlike this:\n\n    (CPU1)                     | (CPU2)\n    l3mdev_l3_rcv()            |\n      check dev-\u003epriv_flags:   |\n        master = skb-\u003edev;     |\n                               |\n                               | ipvlan_l3s_unregister()\n                               |   set dev-\u003epriv_flags\n                               |   dev-\u003el3mdev_ops = NULL;\n                               |\n      visit master-\u003el3mdev_ops |\n\nTo avoid this by do not set dev-\u003el3mdev_ops when unregister l3s ipvlan.","modified":"2026-04-02T12:45:21.729339Z","published":"2025-04-16T14:12:52.164Z","related":["SUSE-SU-2025:01919-1","SUSE-SU-2025:01951-1","SUSE-SU-2025:01964-1","SUSE-SU-2025:01965-1","SUSE-SU-2025:01967-1","SUSE-SU-2025:01972-1","SUSE-SU-2025:02000-1","SUSE-SU-2025:20408-1","SUSE-SU-2025:20413-1","SUSE-SU-2025:20419-1","SUSE-SU-2025:20421-1"],"database_specific":{"cna_assigner":"Linux","osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/22xxx/CVE-2025-22103.json"},"references":[{"type":"WEB","url":"https://git.kernel.org/stable/c/0032c99e83b9ce6d5995d65900aa4b6ffb501cce"},{"type":"WEB","url":"https://git.kernel.org/stable/c/52b44d8c653459c658b733d13658afdde45f6836"},{"type":"WEB","url":"https://git.kernel.org/stable/c/59599bce44af3df7a215ebc81cb166426e1c9204"},{"type":"WEB","url":"https://git.kernel.org/stable/c/f9dff65140efc289f01bcf39c3ca66a8806b6132"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/22xxx/CVE-2025-22103.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-22103"},{"type":"PACKAGE","url":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"c675e06a98a474f7ad0af32ce467613da818da52"},{"fixed":"52b44d8c653459c658b733d13658afdde45f6836"},{"fixed":"59599bce44af3df7a215ebc81cb166426e1c9204"},{"fixed":"f9dff65140efc289f01bcf39c3ca66a8806b6132"},{"fixed":"0032c99e83b9ce6d5995d65900aa4b6ffb501cce"}]}],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-22103.json"}}],"schema_version":"1.7.5"}