CVE-2025-38019

一、漏洞信息
 漏洞编号：[CVE-2025-38019](https://nvd.nist.gov/vuln/detail/CVE-2025-38019)
 漏洞归属组件：[kernel](https://gitee.com/src-openeuler/kernel)
 漏洞归属的版本：4.19.140,4.19.194,4.19.90,5.10.0,6.1.19,6.4.0,6.6.0
 CVSS V3.0分值：
  BaseScore：N/A None
  Vector：CVSS：3.0/
 漏洞简述：
  In the Linux kernel, the following vulnerability has been resolved:mlxsw: spectrum_router: Fix use-after-free when deleting GRE net devicesThe driver only offloads neighbors that are constructed on top of netdevices registered by it or their uppers (which are all Ethernet). Thedevice supports GRE encapsulation and decapsulation of forwardedtraffic, but the driver will not offload dummy neighbors constructed ontop of GRE net devices as they are not uppers of its net devices: # ip link add name gre1 up type gre tos inherit local 192.0.2.1 remote 198.51.100.1 # ip neigh add 0.0.0.0 lladdr 0.0.0.0 nud noarp dev gre1 $ ip neigh show dev gre1 nud noarp 0.0.0.0 lladdr 0.0.0.0 NOARP(Note that the neighbor is not marked with  offload )When the driver is reloaded and the existing configuration is replayed,the driver does not perform the same check regarding existing neighborsand offloads the previously added one: # devlink dev reload pci/0000:01:00.0 $ ip neigh show dev gre1 nud noarp 0.0.0.0 lladdr 0.0.0.0 offload NOARPIf the neighbor is later deleted, the driver will ignore thenotification (given the GRE net device is not its upper) and willtherefore keep referencing freed memory, resulting in a use-after-free[1] when the net device is deleted: # ip neigh del 0.0.0.0 lladdr 0.0.0.0 dev gre1 # ip link del dev gre1Fix by skipping neighbor replay if the net device for which the replayis performed is not our upper.[1]BUG: KASAN: slab-use-after-free in mlxsw_sp_neigh_entry_update+0x1ea/0x200Read of size 8 at addr ffff888155b0e420 by task ip/2282[...]Call Trace: <TASK> dump_stack_lvl+0x6f/0xa0 print_address_description.constprop.0+0x6f/0x350 print_report+0x108/0x205 kasan_report+0xdf/0x110 mlxsw_sp_neigh_entry_update+0x1ea/0x200 mlxsw_sp_router_rif_gone_sync+0x2a8/0x440 mlxsw_sp_rif_destroy+0x1e9/0x750 mlxsw_sp_netdevice_ipip_ol_event+0x3c9/0xdc0 mlxsw_sp_router_netdevice_event+0x3ac/0x15e0 notifier_call_chain+0xca/0x150 call_netdevice_notifiers_info+0x7f/0x100 unregister_netdevice_many_notify+0xc8c/0x1d90 rtnl_dellink+0x34e/0xa50 rtnetlink_rcv_msg+0x6fb/0xb70 netlink_rcv_skb+0x131/0x360 netlink_unicast+0x426/0x710 netlink_sendmsg+0x75a/0xc20 __sock_sendmsg+0xc1/0x150 ____sys_sendmsg+0x5aa/0x7b0 ___sys_sendmsg+0xfc/0x180 __sys_sendmsg+0x121/0x1b0 do_syscall_64+0xbb/0x1d0 entry_SYSCALL_64_after_hwframe+0x4b/0x53
 漏洞公开时间：2025-06-18 18:15:33
 漏洞创建时间：2025-06-19 11:46:57
 漏洞详情参考链接：
  https://nvd.nist.gov/vuln/detail/CVE-2025-38019
<details>
<summary>更多参考(点击展开)</summary>

| 参考来源 | 参考链接 | 来源链接 |
| ------- | -------- | -------- |
|  | https://git.kernel.org/stable/c/92ec4855034b2c4d13f117558dc73d20581fa9ff |  |
|  | https://git.kernel.org/stable/c/9ab7945f3a61ed23da412e30f1e56414c05c4f06 |  |
|  | https://git.kernel.org/stable/c/abc43c1ffdbc801b0b04ac845bfaf1d42b8f68f7 |  |
|  | https://git.kernel.org/stable/c/f1ecccb5cdda39bca8cd17bb0b6cf61361e33578 |  |
|  | https://security-tracker.debian.org/tracker/CVE-2025-38019 |  |
|  | https://bugzilla.redhat.com/show_bug.cgi?id=2373330 |  |
|  | https://access.redhat.com/security/cve/CVE-2025-38019 |  |
|  | https://linux.oracle.com/cve/CVE-2025-38019.html |  |
|  | https://linux.oracle.com/errata/ELSA-2025-20480.html |  |
|  | https://git.kernel.org/stable/c/92ec4855034b2c4d13f117558dc73d20581fa9ff |  |
|  | https://git.kernel.org/stable/c/9ab7945f3a61ed23da412e30f1e56414c05c4f06 |  |
|  | https://git.kernel.org/stable/c/abc43c1ffdbc801b0b04ac845bfaf1d42b8f68f7 |  |
|  | https://git.kernel.org/stable/c/f1ecccb5cdda39bca8cd17bb0b6cf61361e33578 |  |
|  | https://linux.oracle.com/cve/CVE-2025-38019.html |  |
|  | https://linux.oracle.com/errata/ELSA-2025-20480.html |  |
|  | https://git.kernel.org/stable/c/92ec4855034b2c4d13f117558dc73d20581fa9ff |  |
|  | https://git.kernel.org/stable/c/9ab7945f3a61ed23da412e30f1e56414c05c4f06 |  |
|  | https://git.kernel.org/stable/c/abc43c1ffdbc801b0b04ac845bfaf1d42b8f68f7 |  |
|  | https://git.kernel.org/stable/c/f1ecccb5cdda39bca8cd17bb0b6cf61361e33578 |  |
|  | https://www.cve.org/CVERecord?id=CVE-2025-38019 |  |
|  | https://nvd.nist.gov/vuln/detail/CVE-2025-38019 |  |
|  | https://lore.kernel.org/linux-cve-announce/2025061845-CVE-2025-38019-efab@gregkh/T |  |
|  | https://bugzilla.redhat.com/show_bug.cgi?id=2373330 |  |
|  | https://vigilance.fr/vulnerability/Linux-kernel-multiple-vulnerabilities-dated-18-06-2025-47466 |  |

</details>

漏洞分析指导链接：
  https://gitee.com/openeuler/cve-manager/blob/master/cve-vulner-manager/doc/md/manual.md
 漏洞数据来源:
  七彩瞬析开源风险感知平台
 漏洞补丁信息：
  <details>
<summary>详情(点击展开)</summary>

| 影响的包 | 修复版本 | 修复补丁 | 问题引入补丁 | 来源  |
| ------- | -------- | ------- | -------- | --------- |
| gregkh/linux |  | https://github.com/gregkh/linux/commit/92ec4855034b2c4d13f117558dc73d20581fa9ff.patch |  | ljqc |
|  |  | https://git.kernel.org/stable/c/92ec4855034b2c4d13f117558dc73d20581fa9ff |  | nvd |
|  |  | https://git.kernel.org/stable/c/9ab7945f3a61ed23da412e30f1e56414c05c4f06 |  | nvd |
|  |  | https://git.kernel.org/stable/c/abc43c1ffdbc801b0b04ac845bfaf1d42b8f68f7 |  | nvd |
|  |  | https://git.kernel.org/stable/c/f1ecccb5cdda39bca8cd17bb0b6cf61361e33578 |  | nvd |
|  |  | https://git.kernel.org/stable/c/92ec4855034b2c4d13f117558dc73d20581fa9ff |  | snyk |
|  |  | https://git.kernel.org/stable/c/9ab7945f3a61ed23da412e30f1e56414c05c4f06 |  | snyk |
|  |  | https://git.kernel.org/stable/c/abc43c1ffdbc801b0b04ac845bfaf1d42b8f68f7 |  | snyk |
|  |  | https://git.kernel.org/stable/c/f1ecccb5cdda39bca8cd17bb0b6cf61361e33578 |  | snyk |

</details>

二、漏洞分析结构反馈
 影响性分析说明：
  In the Linux kernel, the following vulnerability has been resolved:mlxsw: spectrum_router: Fix use-after-free when deleting GRE net devicesThe driver only offloads neighbors that are constructed on top of netdevices registered by it or their uppers (which are all Ethernet). Thedevice supports GRE encapsulation and decapsulation of forwardedtraffic, but the driver will not offload dummy neighbors constructed ontop of GRE net devices as they are not uppers of its net devices: # ip link add name gre1 up type gre tos inherit local 192.0.2.1 remote 198.51.100.1 # ip neigh add 0.0.0.0 lladdr 0.0.0.0 nud noarp dev gre1 $ ip neigh show dev gre1 nud noarp 0.0.0.0 lladdr 0.0.0.0 NOARP(Note that the neighbor is not marked with &#39;offload&#39;)When the driver is reloaded and the existing configuration is replayed,the driver does not perform the same check regarding existing neighborsand offloads the previously added one: # devlink dev reload pci/0000:01:00.0 $ ip neigh show dev gre1 nud noarp 0.0.0.0 lladdr 0.0.0.0 offload NOARPIf the neighbor is later deleted, the driver will ignore thenotification (given the GRE net device is not its upper) and willtherefore keep referencing freed memory, resulting in a use-after-free[1] when the net device is deleted: # ip neigh del 0.0.0.0 lladdr 0.0.0.0 dev gre1 # ip link del dev gre1Fix by skipping neighbor replay if the net device for which the replayis performed is not our upper.[1]BUG: KASAN: slab-use-after-free in mlxsw_sp_neigh_entry_update+0x1ea/0x200Read of size 8 at addr ffff888155b0e420 by task ip/2282[...]Call Trace: &lt;TASK&gt; dump_stack_lvl+0x6f/0xa0 print_address_description.constprop.0+0x6f/0x350 print_report+0x108/0x205 kasan_report+0xdf/0x110 mlxsw_sp_neigh_entry_update+0x1ea/0x200 mlxsw_sp_router_rif_gone_sync+0x2a8/0x440 mlxsw_sp_rif_destroy+0x1e9/0x750 mlxsw_sp_netdevice_ipip_ol_event+0x3c9/0xdc0 mlxsw_sp_router_netdevice_event+0x3ac/0x15e0 notifier_call_chain+0xca/0x150 call_netdevice_notifiers_info+0x7f/0x100 unregister_netdevice_many_notify+0xc8c/0x1d90 rtnl_dellink+0x34e/0xa50 rtnetlink_rcv_msg+0x6fb/0xb70 netlink_rcv_skb+0x131/0x360 netlink_unicast+0x426/0x710 netlink_sendmsg+0x75a/0xc20 __sock_sendmsg+0xc1/0x150 ____sys_sendmsg+0x5aa/0x7b0 ___sys_sendmsg+0xfc/0x180 __sys_sendmsg+0x121/0x1b0 do_syscall_64+0xbb/0x1d0 entry_SYSCALL_64_after_hwframe+0x4b/0x53The Linux kernel CVE team has assigned CVE-2025-38019 to this issue.
 openEuler评分：
  3.9
 Vector：CVSS：3.0/AV:L/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:L
 受影响版本排查(受影响/不受影响)：
  1.openEuler-24.03-LTS(6.6.0):受影响
2.openEuler-24.03-LTS-SP1(6.6.0):受影响
3.openEuler-24.03-LTS-SP2(6.6.0):受影响
4.master(6.12.33):不受影响
5.openEuler-20.03-LTS-SP4(4.19.90):不受影响
6.openEuler-22.03-LTS-SP3:不受影响
7.openEuler-22.03-LTS-SP4:不受影响
8.openEuler-24.03-LTS-Next(6.6.0):不受影响

修复是否涉及abi变化(是/否)：
  1.master(6.12.33):否
2.openEuler-20.03-LTS-SP4(4.19.90):否
3.openEuler-22.03-LTS-SP3:否
4.openEuler-22.03-LTS-SP4:否
5.openEuler-24.03-LTS(6.6.0):否
6.openEuler-24.03-LTS-Next(6.6.0):否
7.openEuler-24.03-LTS-SP1(6.6.0):否
8.openEuler-24.03-LTS-SP2(6.6.0):否

原因说明：
  1.openEuler-24.03-LTS(6.6.0):正常修复
2.openEuler-24.03-LTS-SP1(6.6.0):正常修复
3.openEuler-24.03-LTS-SP2(6.6.0):正常修复
4.master(6.12.33):不受影响-漏洞代码不能被攻击者触发
5.openEuler-24.03-LTS-Next(6.6.0):不受影响-漏洞代码不能被攻击者触发
6.openEuler-20.03-LTS-SP4(4.19.90):不受影响-漏洞代码不存在
7.openEuler-22.03-LTS-SP3:不受影响-漏洞代码不存在
8.openEuler-22.03-LTS-SP4:不受影响-漏洞代码不存在

三、漏洞修复
安全公告链接：https://www.openeuler.org/zh/security/safety-bulletin/detail/?id=openEuler-SA-2025-2122

src-openEuler/kernel
Closed

Content Risk Flag

Comments (5)

src-openEuler/kernelClosed .gitee-modal { width: 500px !important; }

Content Risk Flag

CVE-2025-38019

Comments (5)

Search

src-openEuler/kernel
Closed