HIGH
net/ipv6 DstDev UAF
CVE-2025-40158
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
01Description
In the Linux kernel, the following vulnerability has been resolved: ipv6: use RCU in ip6_output() Use RCU in ip6_output() in order to use dst_dev_rcu() to prevent possible UAF. We can remove rcu_read_lock()/rcu_read_unlock() pairs from ip6_finish_output2().
02KernelScan AI Analysis
Risk summary
Remote attackers can potentially trigger a use-after-free vulnerability in IPv6 packet output processing by sending packets that race with route cleanup operations. This could lead to kernel memory corruption, information disclosure, or system crashes on any system with IPv6 networking enabled.
Vulnerability analysis
The vulnerability occurs in the IPv6 output path where dst->dev is accessed via dst_dev() without RCU protection. When routes are removed and dst_dev_put() is called, the device pointer can be freed while still being accessed by concurrent packet processing, creating a use-after-free condition. The fix adds proper RCU read-side critical sections around the entire output path and uses dst_dev_rcu() for safe device pointer access. The attack surface includes any system processing IPv6 packets, making it network-reachable without requiring special privileges.
03Fix Versions
| Branch | Fixed in | Patch commit |
|---|---|---|
| 6.17 | 6.17.3 | 0393f85c3241 |
| mainline | 6.18 | 11709573cc4e |