{"id":"CVE-2025-38500","summary":"xfrm: interface: fix use-after-free after changing collect_md xfrm interface","details":"In the Linux kernel, the following vulnerability has been resolved:\n\nxfrm: interface: fix use-after-free after changing collect_md xfrm interface\n\ncollect_md property on xfrm interfaces can only be set on device creation,\nthus xfrmi_changelink() should fail when called on such interfaces.\n\nThe check to enforce this was done only in the case where the xi was\nreturned from xfrmi_locate() which doesn't look for the collect_md\ninterface, and thus the validation was never reached.\n\nCalling changelink would thus errornously place the special interface xi\nin the xfrmi_net-\u003exfrmi hash, but since it also exists in the\nxfrmi_net-\u003ecollect_md_xfrmi pointer it would lead to a double free when\nthe net namespace was taken down [1].\n\nChange the check to use the xi from netdev_priv which is available earlier\nin the function to prevent changes in xfrm collect_md interfaces.\n\n[1] resulting oops:\n[    8.516540] kernel BUG at net/core/dev.c:12029!\n[    8.516552] Oops: invalid opcode: 0000 [#1] SMP NOPTI\n[    8.516559] CPU: 0 UID: 0 PID: 12 Comm: kworker/u80:0 Not tainted 6.15.0-virtme #5 PREEMPT(voluntary)\n[    8.516565] Hardware name: QEMU Ubuntu 24.04 PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014\n[    8.516569] Workqueue: netns cleanup_net\n[    8.516579] RIP: 0010:unregister_netdevice_many_notify+0x101/0xab0\n[    8.516590] Code: 90 0f 0b 90 48 8b b0 78 01 00 00 48 8b 90 80 01 00 00 48 89 56 08 48 89 32 4c 89 80 78 01 00 00 48 89 b8 80 01 00 00 eb ac 90 \u003c0f\u003e 0b 48 8b 45 00 4c 8d a0 88 fe ff ff 48 39 c5 74 5c 41 80 bc 24\n[    8.516593] RSP: 0018:ffffa93b8006bd30 EFLAGS: 00010206\n[    8.516598] RAX: ffff98fe4226e000 RBX: ffffa93b8006bd58 RCX: ffffa93b8006bc60\n[    8.516601] RDX: 0000000000000004 RSI: 0000000000000000 RDI: dead000000000122\n[    8.516603] RBP: ffffa93b8006bdd8 R08: dead000000000100 R09: ffff98fe4133c100\n[    8.516605] R10: 0000000000000000 R11: 00000000000003d2 R12: ffffa93b8006be00\n[    8.516608] R13: ffffffff96c1a510 R14: ffffffff96c1a510 R15: ffffa93b8006be00\n[    8.516615] FS:  0000000000000000(0000) GS:ffff98fee73b7000(0000) knlGS:0000000000000000\n[    8.516619] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[    8.516622] CR2: 00007fcd2abd0700 CR3: 000000003aa40000 CR4: 0000000000752ef0\n[    8.516625] PKRU: 55555554\n[    8.516627] Call Trace:\n[    8.516632]  \u003cTASK\u003e\n[    8.516635]  ? rtnl_is_locked+0x15/0x20\n[    8.516641]  ? unregister_netdevice_queue+0x29/0xf0\n[    8.516650]  ops_undo_list+0x1f2/0x220\n[    8.516659]  cleanup_net+0x1ad/0x2e0\n[    8.516664]  process_one_work+0x160/0x380\n[    8.516673]  worker_thread+0x2aa/0x3c0\n[    8.516679]  ? __pfx_worker_thread+0x10/0x10\n[    8.516686]  kthread+0xfb/0x200\n[    8.516690]  ? __pfx_kthread+0x10/0x10\n[    8.516693]  ? __pfx_kthread+0x10/0x10\n[    8.516697]  ret_from_fork+0x82/0xf0\n[    8.516705]  ? __pfx_kthread+0x10/0x10\n[    8.516709]  ret_from_fork_asm+0x1a/0x30\n[    8.516718]  \u003c/TASK\u003e","aliases":["A-436201996","ASB-A-436201996"],"modified":"2026-04-02T12:48:00.346762Z","published":"2025-08-12T16:02:42.363Z","related":["ALSA-2025:15011","ALSA-2025:15782","SUSE-SU-2025:03272-1","SUSE-SU-2025:03290-1","SUSE-SU-2025:03301-1","SUSE-SU-2025:03382-1","SUSE-SU-2025:03602-1","SUSE-SU-2025:03633-1","SUSE-SU-2025:03634-1","SUSE-SU-2025:20653-1","SUSE-SU-2025:20669-1","SUSE-SU-2025:20739-1","SUSE-SU-2025:20756-1","SUSE-SU-2025:21074-1","SUSE-SU-2025:21085-1","SUSE-SU-2025:21086-1","SUSE-SU-2025:21087-1","SUSE-SU-2025:21088-1","SUSE-SU-2025:21089-1","SUSE-SU-2025:21090-1","SUSE-SU-2025:21091-1","SUSE-SU-2025:21092-1","SUSE-SU-2025:21093-1","SUSE-SU-2025:21094-1","SUSE-SU-2025:21095-1","SUSE-SU-2025:21096-1","SUSE-SU-2025:21097-1","SUSE-SU-2025:21098-1","SUSE-SU-2025:21099-1","SUSE-SU-2025:21100-1","SUSE-SU-2025:21103-1","SUSE-SU-2025:21107-1","SUSE-SU-2025:21108-1","SUSE-SU-2025:21109-1","SUSE-SU-2025:21110-1","SUSE-SU-2025:21111-1","SUSE-SU-2025:21112-1","SUSE-SU-2025:21114-1","SUSE-SU-2025:21116-1","SUSE-SU-2025:21117-1","SUSE-SU-2025:21118-1","SUSE-SU-2025:21119-1","SUSE-SU-2025:21120-1","SUSE-SU-2025:21121-1","SUSE-SU-2025:21122-1","SUSE-SU-2025:21123-1","SUSE-SU-2025:21139-1","SUSE-SU-2025:21179-1","SUSE-SU-2025:4160-1","SUSE-SU-2025:4161-1","SUSE-SU-2025:4164-1","SUSE-SU-2025:4167-1","SUSE-SU-2025:4200-1","SUSE-SU-2025:4201-1","SUSE-SU-2025:4208-1","SUSE-SU-2025:4261-1","SUSE-SU-2025:4262-1","SUSE-SU-2025:4265-1","SUSE-SU-2025:4268-1","SUSE-SU-2025:4269-1","SUSE-SU-2025:4282-1","SUSE-SU-2025:4302-1","SUSE-SU-2025:4306-1","SUSE-SU-2026:20149-1","SUSE-SU-2026:20164-1","SUSE-SU-2026:20169-1","openSUSE-SU-2025:20081-1"],"database_specific":{"cna_assigner":"Linux","osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/38xxx/CVE-2025-38500.json"},"references":[{"type":"WEB","url":"https://git.kernel.org/stable/c/5918c3f4800a3aef2173865e5903370f21e24f47"},{"type":"WEB","url":"https://git.kernel.org/stable/c/69a31f7a6a81f5ffd3812c442e09ff0be22960f1"},{"type":"WEB","url":"https://git.kernel.org/stable/c/a8d4748b954584ab7bd800f1a4e46d5b0eeb5ce4"},{"type":"WEB","url":"https://git.kernel.org/stable/c/a90b2a1aaacbcf0f91d7e4868ad6c51c5dee814b"},{"type":"WEB","url":"https://git.kernel.org/stable/c/bfebdb85496e1da21d3cf05de099210915c3e706"},{"type":"WEB","url":"https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/38xxx/CVE-2025-38500.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-38500"},{"type":"PACKAGE","url":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"abc340b38ba25cd6c7aa2c0bd9150d30738c82d0"},{"fixed":"a8d4748b954584ab7bd800f1a4e46d5b0eeb5ce4"},{"fixed":"bfebdb85496e1da21d3cf05de099210915c3e706"},{"fixed":"5918c3f4800a3aef2173865e5903370f21e24f47"},{"fixed":"69a31f7a6a81f5ffd3812c442e09ff0be22960f1"},{"fixed":"a90b2a1aaacbcf0f91d7e4868ad6c51c5dee814b"}]}],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-38500.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}]}