CVE-2025-38476— rpl: Fix use-after-free in rpl_do_srh_inline().
Affected Version Matrix 16
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Linux | Linux | a7a29f9c361f8542604ef959ae6627f423b7a412< c09e21dfc08d8afb92d9ea3bee3457adbe3ef297 | affected |
a7a29f9c361f8542604ef959ae6627f423b7a412< 8ba6c2362b85089b8972ac5f20b24fc71a4b8ffc | affected | ||
a7a29f9c361f8542604ef959ae6627f423b7a412< e8101506ab86dd78f823b7028f2036a380f3a12a | affected | ||
a7a29f9c361f8542604ef959ae6627f423b7a412< 62dcd9d6e61c39122d2f251a26829e2e55b0a11d | affected | ||
a7a29f9c361f8542604ef959ae6627f423b7a412< 06ec83b6c792fde1f710c1de3e836da6e257c4c4 | affected | ||
a7a29f9c361f8542604ef959ae6627f423b7a412< 034b428aa3583373a5a20b1c5931bb2b3cae1f36 | affected | ||
a7a29f9c361f8542604ef959ae6627f423b7a412< b640daa2822a39ff76e70200cb2b7b892b896dce | affected | ||
5.7 | affected | ||
| … +8 more rows | |||
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2025-38476
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
rpl: Fix use-after-free in rpl_do_srh_inline().
Source: NVD (National Vulnerability Database)
Vulnerability Description
In the Linux kernel, the following vulnerability has been resolved: rpl: Fix use-after-free in rpl_do_srh_inline(). Running lwt_dst_cache_ref_loop.sh in selftest with KASAN triggers the splat below [0]. rpl_do_srh_inline() fetches ipv6_hdr(skb) and accesses it after skb_cow_head(), which is illegal as the header could be freed then. Let's fix it by making oldhdr to a local struct instead of a pointer. [0]: [root@fedora net]# ./lwt_dst_cache_ref_loop.sh ... TEST: rpl (input) [ 57.631529] ================================================================== BUG: KASAN: slab-use-after-free in rpl_do_srh_inline.isra.0 (net/ipv6/rpl_iptunnel.c:174) Read of size 40 at addr ffff888122bf96d8 by task ping6/1543 CPU: 50 UID: 0 PID: 1543 Comm: ping6 Not tainted 6.16.0-rc5-01302-gfadd1e6231b1 #23 PREEMPT(voluntary) Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 Call Trace: <IRQ> dump_stack_lvl (lib/dump_stack.c:122) print_report (mm/kasan/report.c:409 mm/kasan/report.c:521) kasan_report (mm/kasan/report.c:221 mm/kasan/report.c:636) kasan_check_range (mm/kasan/generic.c:175 (discriminator 1) mm/kasan/generic.c:189 (discriminator 1)) __asan_memmove (mm/kasan/shadow.c:94 (discriminator 2)) rpl_do_srh_inline.isra.0 (net/ipv6/rpl_iptunnel.c:174) rpl_input (net/ipv6/rpl_iptunnel.c:201 net/ipv6/rpl_iptunnel.c:282) lwtunnel_input (net/core/lwtunnel.c:459) ipv6_rcv (./include/net/dst.h:471 (discriminator 1) ./include/net/dst.h:469 (discriminator 1) net/ipv6/ip6_input.c:79 (discriminator 1) ./include/linux/netfilter.h:317 (discriminator 1) ./include/linux/netfilter.h:311 (discriminator 1) net/ipv6/ip6_input.c:311 (discriminator 1)) __netif_receive_skb_one_core (net/core/dev.c:5967) process_backlog (./include/linux/rcupdate.h:869 net/core/dev.c:6440) __napi_poll.constprop.0 (net/core/dev.c:7452) net_rx_action (net/core/dev.c:7518 net/core/dev.c:7643) handle_softirqs (kernel/softirq.c:579) do_softirq (kernel/softirq.c:480 (discriminator 20)) </IRQ> <TASK> __local_bh_enable_ip (kernel/softirq.c:407) __dev_queue_xmit (net/core/dev.c:4740) ip6_finish_output2 (./include/linux/netdevice.h:3358 ./include/net/neighbour.h:526 ./include/net/neighbour.h:540 net/ipv6/ip6_output.c:141) ip6_finish_output (net/ipv6/ip6_output.c:215 net/ipv6/ip6_output.c:226) ip6_output (./include/linux/netfilter.h:306 net/ipv6/ip6_output.c:248) ip6_send_skb (net/ipv6/ip6_output.c:1983) rawv6_sendmsg (net/ipv6/raw.c:588 net/ipv6/raw.c:918) __sys_sendto (net/socket.c:714 (discriminator 1) net/socket.c:729 (discriminator 1) net/socket.c:2228 (discriminator 1)) __x64_sys_sendto (net/socket.c:2231) do_syscall_64 (arch/x86/entry/syscall_64.c:63 (discriminator 1) arch/x86/entry/syscall_64.c:94 (discriminator 1)) entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130) RIP: 0033:0x7f68cffb2a06 Code: 5d e8 41 8b 93 08 03 00 00 59 5e 48 83 f8 fc 75 19 83 e2 39 83 fa 08 75 11 e8 26 ff ff ff 66 0f 1f 44 00 00 48 8b 45 10 0f 05 <48> 8b 5d f8 c9 c3 0f 1f 40 00 f3 0f 1e fa 55 48 89 e5 48 83 ec 08 RSP: 002b:00007ffefb7c53d0 EFLAGS: 00000202 ORIG_RAX: 000000000000002c RAX: ffffffffffffffda RBX: 0000564cd69f10a0 RCX: 00007f68cffb2a06 RDX: 0000000000000040 RSI: 0000564cd69f10a4 RDI: 0000000000000003 RBP: 00007ffefb7c53f0 R08: 0000564cd6a032ac R09: 000000000000001c R10: 0000000000000000 R11: 0000000000000202 R12: 0000564cd69f10a4 R13: 0000000000000040 R14: 00007ffefb7c66e0 R15: 0000564cd69f10a0 </TASK> Allocated by task 1543: kasan_save_stack (mm/kasan/common.c:48) kasan_save_track (mm/kasan/common.c:60 (discriminator 1) mm/kasan/common.c:69 (discriminator 1)) __kasan_slab_alloc (mm/kasan/common.c:319 mm/kasan/common.c:345) kmem_cache_alloc_node_noprof (./include/linux/kasan.h:250 mm/slub.c:4148 mm/slub.c:4197 mm/slub.c:4249) kmalloc_reserve (net/core/skbuff.c:581 (discriminator 88)) __alloc_skb (net/core/skbuff.c:669) __ip6_append_data (net/ipv6/ip6_output.c:1672 (discriminator 1)) ip6_ ---truncated---
Source: NVD (National Vulnerability Database)
CVSS Information
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Type
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Title
Linux kernel 安全漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
Linux kernel是美国Linux基金会的开源操作系统Linux所使用的内核。 Linux kernel存在安全漏洞,该漏洞源于rpl_do_srh_inline函数中存在释放后重用。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
II. Public POCs for CVE-2025-38476
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2025-38476
请登录查看更多情报信息。
Same Patch Batch · Linux · 2025-07-28 · 29 CVEs total
| CVE-2025-38484 | iio: backend: fix out-of-bound write | |
| CVE-2025-38497 | usb: gadget: configfs: Fix OOB read on empty string write | |
| CVE-2025-38496 | dm-bufio: fix sched in atomic context | |
| CVE-2025-38495 | HID: core: ensure the allocated report buffer can contain the reserved report ID | |
| CVE-2025-38494 | HID: core: do not bypass hid_hw_raw_request | |
| CVE-2025-38493 | tracing/osnoise: Fix crash in timerlat_dump_stack() | |
| CVE-2025-38492 | netfs: Fix race between cache write completion and ALL_QUEUED being set | |
| CVE-2025-38491 | mptcp: make fallback action and fallback decision atomic | |
| CVE-2025-38490 | net: libwx: remove duplicate page_pool_put_full_page() | |
| CVE-2025-38489 | s390/bpf: Fix bpf_arch_text_poke() with new_addr == NULL again | |
| CVE-2025-38488 | smb: client: fix use-after-free in crypt_message when using async crypto | |
| CVE-2025-38487 | soc: aspeed: lpc-snoop: Don't disable channels that aren't enabled | |
| CVE-2025-38485 | iio: accel: fxls8962af: Fix use after free in fxls8962af_fifo_flush | |
| CVE-2025-38486 | soundwire: Revert "soundwire: qcom: Add set_channel_map api support" | |
| CVE-2025-38468 | net/sched: Return NULL when htb_lookup_leaf encounters an empty rbtree | |
| CVE-2025-38483 | comedi: das16m1: Fix bit shift out of bounds | |
| CVE-2025-38482 | comedi: das6402: Fix bit shift out of bounds | |
| CVE-2025-38481 | comedi: Fail COMEDI_INSNLIST ioctl if n_insns is too large | |
| CVE-2025-38480 | comedi: Fix use of uninitialized data in insn_rw_emulate_bits() | |
| CVE-2025-38478 | comedi: Fix initialization of data for instructions that write to subdevice |
Showing top 20 of 29 CVEs. View all on vendor page → →
IV. Related Vulnerabilities
Same product: Linux
- CVE-2026-46333
ptrace: slightly saner 'get_dumpable()' logic - CVE-2026-43490
ksmbd: validate inherited ACE SID length - CVE-2026-43489
liveupdate: luo_file: remember retrieve() status - CVE-2026-43487
ata: libata-core: Disable LPM on ST1000DM010-2EP102 - CVE-2026-43488
usb: xhci: Prevent interrupt storm on host controller error
Same vendor: Linux
- CVE-2026-46333
ptrace: slightly saner 'get_dumpable()' logic - CVE-2026-43490
ksmbd: validate inherited ACE SID length - CVE-2026-43489
liveupdate: luo_file: remember retrieve() status - CVE-2026-43487
ata: libata-core: Disable LPM on ST1000DM010-2EP102 - CVE-2026-43488
usb: xhci: Prevent interrupt storm on host controller error
V. Comments for CVE-2025-38476
No comments yet