CVE-2025-38052
BaseFortify
Publication date: 2025-06-18
Last updated on: 2025-12-17
Assigner: kernel.org
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| linux | linux_kernel | From 5.5 (inc) to 5.10.238 (exc) |
| linux | linux_kernel | From 5.11 (inc) to 5.15.185 (exc) |
| linux | linux_kernel | From 5.16 (inc) to 6.1.141 (exc) |
| linux | linux_kernel | From 6.2 (inc) to 6.6.93 (exc) |
| linux | linux_kernel | From 6.7 (inc) to 6.12.31 (exc) |
| linux | linux_kernel | From 6.13 (inc) to 6.14.9 (exc) |
| linux | linux_kernel | 6.15 |
| linux | linux_kernel | 6.15 |
| linux | linux_kernel | 6.15 |
| linux | linux_kernel | 6.15 |
| linux | linux_kernel | 6.15 |
| linux | linux_kernel | 6.15 |
| linux | linux_kernel | 6.15 |
| debian | debian_linux | 11.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-416 | The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory "belongs" to the code that operates on the new pointer. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a slab-use-after-free bug in the Linux kernel's TIPC (Transparent Inter-Process Communication) networking component, specifically in the tipc_aead_encrypt_done function. It occurs when a cryptographic operation is interrupted and the cryptd_queue_worker workqueue accesses memory that has already been freed after a network namespace is deleted. This leads to a read of freed memory, which can cause undefined behavior or crashes. The issue arises because the tipc_crypto tx object is freed but still accessed later due to asynchronous cryptographic processing. The fix involves holding a network reference count before encryption to prevent premature freeing.
How can this vulnerability impact me? :
This vulnerability can lead to use-after-free memory access in the Linux kernel, which may cause system instability, crashes, or potentially allow an attacker to execute arbitrary code or cause denial of service by exploiting the freed memory access in the TIPC networking component.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by reproducing the conditions that trigger the slab-use-after-free in the tipc_aead_encrypt_done function. The CVE description provides a reproduction sequence using Linux network namespace and TIPC commands: 1. Create a network namespace: ip netns add ns1 2. Create a veth pair: ip link add veth1 type veth peer name veth2 3. Move one end to the namespace: ip link set veth1 netns ns1 4. Enable TIPC bearer on the interface inside the namespace: ip netns exec ns1 tipc bearer enable media eth dev veth1 5. Set a TIPC node key: ip netns exec ns1 tipc node set key this_is_a_master_key master 6. Disable the TIPC bearer: ip netns exec ns1 tipc bearer disable media eth dev veth1 7. Delete the namespace: ip netns del ns1 Monitoring kernel logs for KASAN (Kernel Address Sanitizer) reports related to slab-use-after-free in tipc_aead_encrypt_done can help detect the vulnerability being triggered.
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation is to update the Linux kernel to a version that includes the fix for this vulnerability. The fix involves holding a network reference count before encrypting to prevent use-after-free conditions. Until the patch is applied, avoid operations that reproduce the issue, such as creating and deleting network namespaces with TIPC bearers enabled and disabled in the described sequence.