HIGH Published 2026-01-13

rose Device Cleanup OOB

CVE-2025-71086

CVSS 7.8 / 10.0 NVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

KernelScan AI7.8HIGH

01Description

In the Linux kernel, the following vulnerability has been resolved: net: rose: fix invalid array index in rose_kill_by_device() rose_kill_by_device() collects sockets into a local array[] and then iterates over them to disconnect sockets bound to a device being brought down. The loop mistakenly indexes array[cnt] instead of array[i]. For cnt < ARRAY_SIZE(array), this reads an uninitialized entry; for cnt == ARRAY_SIZE(array), it is an out-of-bounds read. Either case can lead to an invalid socket pointer dereference and also leaks references taken via sock_hold(). Fix the index to use i.

02KernelScan AI Analysis

Engine v0.2.0

Risk summary

A programming error in the ROSE protocol's device cleanup code can cause out-of-bounds memory reads and invalid pointer dereferences when network devices are brought down. This could lead to system crashes or potentially allow local attackers with network administration privileges to cause denial of service.

Affectednet/rose/af_rose.c

Vulnerability analysis

Root Cause: In rose_kill_by_device(), a loop iterates over a local array of socket pointers but mistakenly uses array[cnt] instead of array[i] as the index. The variable 'cnt' represents the total count of collected sockets, while 'i' is the loop iterator. This causes the loop to always access the same array element (at index cnt) rather than iterating through elements 0 to cnt-1.

Attack Surface: Local attack surface requiring the ability to bring network devices up/down or trigger device events. The vulnerability occurs during network device state changes when ROSE protocol sockets are bound to the affected device. Exploitation requires local access with sufficient privileges to manipulate network interfaces.

Fix Mechanism: The patch changes the array index from 'cnt' to 'i' in the loop that processes collected sockets. This ensures the loop correctly iterates through all collected socket pointers from array[0] to array[cnt-1].

03Fix Versions

Branch	Fixed in	Patch commit
4.20	4.20	`b409ba9e1e63`
5.10	5.10.248	`819fb41ae549`
5.15	5.15.198	`ed2639414d43`
5.5	5.5	`92d900aac3a5`
6.1	6.1.160	`1418c12cd3bb`
6.12	6.12.64	`6595beb40fb0`
6.18	6.18.4	—
6.6	6.6.120	`9f6185a32496`
mainline	6.19	—