HIGH
net/ipv4 DstDev UAF
CVE-2025-40074
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
01Description
In the Linux kernel, the following vulnerability has been resolved: ipv4: start using dst_dev_rcu() Change icmpv4_xrlim_allow(), ip_defrag() to prevent possible UAF. Change ipmr_prepare_xmit(), ipmr_queue_fwd_xmit(), ip_mr_output(), ipv4_neigh_lookup() to use lockdep enabled dst_dev_rcu().
02KernelScan AI Analysis
Risk summary
Remote attackers can trigger a use-after-free condition in core IPv4 networking code by sending network packets that race with route removal operations. Successful exploitation can lead to kernel memory corruption, information disclosure, privilege escalation, or system crashes.
Vulnerability analysis
The vulnerability stems from unsafe access to destination device pointers in IPv4 packet-processing functions. The original code used dst_dev() outside of RCU read-side critical sections, creating a race window where dst_dev_put() could free or replace the underlying net_device while it was still being dereferenced during ICMP rate-limiting, IP defragmentation, multicast forwarding, or neighbor lookup. The fix replaces these calls with dst_dev_rcu() and ensures RCU read-side critical sections protect the device pointer for the duration of its use. Because the affected functions lie on the inbound and forwarding IPv4 packet paths, the bug is reachable from the network without authentication.
03Fix Versions
| Branch | Fixed in | Patch commit |
|---|---|---|
| 6.17 | 6.17.3 | 923e0734c386 |
| mainline | 6.18 | 6ad8de3cefdb |