{"id":"CVE-2025-39827","summary":"net: rose: include node references in rose_neigh refcount","details":"In the Linux kernel, the following vulnerability has been resolved:\n\nnet: rose: include node references in rose_neigh refcount\n\nCurrent implementation maintains two separate reference counting\nmechanisms: the 'count' field in struct rose_neigh tracks references from\nrose_node structures, while the 'use' field (now refcount_t) tracks\nreferences from rose_sock.\n\nThis patch merges these two reference counting systems using 'use' field\nfor proper reference management. Specifically, this patch adds incrementing\nand decrementing of rose_neigh-\u003euse when rose_neigh-\u003ecount is incremented\nor decremented.\n\nThis patch also modifies rose_rt_free(), rose_rt_device_down() and\nrose_clear_route() to properly release references to rose_neigh objects\nbefore freeing a rose_node through rose_remove_node().\n\nThese changes ensure rose_neigh structures are properly freed only when\nall references, including those from rose_node structures, are released.\nAs a result, this resolves a slab-use-after-free issue reported by Syzbot.","modified":"2026-04-02T12:48:10.266422Z","published":"2025-09-16T13:00:25.555Z","related":["SUSE-SU-2025:03600-1","SUSE-SU-2025:03634-1","SUSE-SU-2025:20851-1","SUSE-SU-2025:20861-1","SUSE-SU-2025:20870-1","SUSE-SU-2025:20898-1","SUSE-SU-2025:21074-1","SUSE-SU-2025:21139-1","SUSE-SU-2025:21179-1","SUSE-SU-2025:3751-1","SUSE-SU-2025:4057-1","SUSE-SU-2025:4132-1","SUSE-SU-2025:4141-1","openSUSE-SU-2025:20081-1"],"database_specific":{"cna_assigner":"Linux","osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/39xxx/CVE-2025-39827.json"},"references":[{"type":"WEB","url":"https://git.kernel.org/stable/c/384210cceb1873a4c8218b27ba0745444436b728"},{"type":"WEB","url":"https://git.kernel.org/stable/c/4cce478c3e82a5fc788d72adb2f4c4e983997639"},{"type":"WEB","url":"https://git.kernel.org/stable/c/9c547c8eee9d1cf6e744611d688b9f725cf9a115"},{"type":"WEB","url":"https://git.kernel.org/stable/c/d7563b456ed44151e1a82091d96f60166daea89b"},{"type":"WEB","url":"https://git.kernel.org/stable/c/da9c9c877597170b929a6121a68dcd3dd9a80f45"},{"type":"WEB","url":"https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/39xxx/CVE-2025-39827.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-39827"},{"type":"PACKAGE","url":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"1da177e4c3f41524e886b7f1b8a0c1fc7321cac2"},{"fixed":"4cce478c3e82a5fc788d72adb2f4c4e983997639"},{"fixed":"9c547c8eee9d1cf6e744611d688b9f725cf9a115"},{"fixed":"d7563b456ed44151e1a82091d96f60166daea89b"},{"fixed":"384210cceb1873a4c8218b27ba0745444436b728"},{"fixed":"da9c9c877597170b929a6121a68dcd3dd9a80f45"}]}],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-39827.json"}}],"schema_version":"1.7.5"}