CVE-2025-39703

Unknown Unknown - Not Provided

BaseFortify

Publication date: 2025-09-05

Last updated on: 2025-11-03

Assigner: kernel.org

Description

In the Linux kernel, the following vulnerability has been resolved: net, hsr: reject HSR frame if skb can't hold tag Receiving HSR frame with insufficient space to hold HSR tag in the skb can result in a crash (kernel BUG): [ 45.390915] skbuff: skb_under_panic: text:ffffffff86f32cac len:26 put:14 head:ffff888042418000 data:ffff888042417ff4 tail:0xe end:0x180 dev:bridge_slave_1 [ 45.392559] ------------[ cut here ]------------ [ 45.392912] kernel BUG at net/core/skbuff.c:211! [ 45.393276] Oops: invalid opcode: 0000 [#1] SMP DEBUG_PAGEALLOC KASAN NOPTI [ 45.393809] CPU: 1 UID: 0 PID: 2496 Comm: reproducer Not tainted 6.15.0 #12 PREEMPT(undef) [ 45.394433] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014 [ 45.395273] RIP: 0010:skb_panic+0x15b/0x1d0 <snip registers, remove unreliable trace> [ 45.402911] Call Trace: [ 45.403105] <IRQ> [ 45.404470] skb_push+0xcd/0xf0 [ 45.404726] br_dev_queue_push_xmit+0x7c/0x6c0 [ 45.406513] br_forward_finish+0x128/0x260 [ 45.408483] __br_forward+0x42d/0x590 [ 45.409464] maybe_deliver+0x2eb/0x420 [ 45.409763] br_flood+0x174/0x4a0 [ 45.410030] br_handle_frame_finish+0xc7c/0x1bc0 [ 45.411618] br_handle_frame+0xac3/0x1230 [ 45.413674] __netif_receive_skb_core.constprop.0+0x808/0x3df0 [ 45.422966] __netif_receive_skb_one_core+0xb4/0x1f0 [ 45.424478] __netif_receive_skb+0x22/0x170 [ 45.424806] process_backlog+0x242/0x6d0 [ 45.425116] __napi_poll+0xbb/0x630 [ 45.425394] net_rx_action+0x4d1/0xcc0 [ 45.427613] handle_softirqs+0x1a4/0x580 [ 45.427926] do_softirq+0x74/0x90 [ 45.428196] </IRQ> This issue was found by syzkaller. The panic happens in br_dev_queue_push_xmit() once it receives a corrupted skb with ETH header already pushed in linear data. When it attempts the skb_push() call, there's not enough headroom and skb_push() panics. The corrupted skb is put on the queue by HSR layer, which makes a sequence of unintended transformations when it receives a specific corrupted HSR frame (with incomplete TAG). Fix it by dropping and consuming frames that are not long enough to contain both ethernet and hsr headers. Alternative fix would be to check for enough headroom before skb_push() in br_dev_queue_push_xmit(). In the reproducer, this is injected via AF_PACKET, but I don't easily see why it couldn't be sent over the wire from adjacent network. Further Details: In the reproducer, the following network interface chain is set up: ┌────────────────┐ ┌────────────────┐ │ veth0_to_hsr ├───┤ hsr_slave0 ┼───┐ └────────────────┘ └────────────────┘ │ │ ┌──────┐ ├─┤ hsr0 ├───┐ │ └──────┘ │ ┌────────────────┐ ┌────────────────┐ │ │┌────────┐ │ veth1_to_hsr ┼───┤ hsr_slave1 ├───┘ └┤ │ └────────────────┘ └────────────────┘ ┌┼ bridge │ ││ │ │└────────┘ │ ┌───────┐ │ │ ... ├──────┘ └───────┘ To trigger the events leading up to crash, reproducer sends a corrupted HSR fr ---truncated---

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published

2025-09-05

Last Modified

2025-11-03

Generated

2026-05-07

AI Q&A

2025-09-05

EPSS Evaluated

2026-05-05

NVD

CVE-2025-39703

Affected Vendors & Products

Vendor	Product	Version / Range
linux	linux_kernel	6.15.0
linux	linux_kernel	5.10.244
linux	linux_kernel	6.1.153

Helpful Resources

Exploitability

CWE

KEV

CWE ID	Description
CWE-UNKNOWN

Attack-Flow Graph

AI Powered Q&A

Can you explain this vulnerability to me?

This vulnerability in the Linux kernel involves the handling of HSR (High-availability Seamless Redundancy) frames. When the kernel receives an HSR frame that does not have enough space in the socket buffer (skb) to hold the HSR tag, it causes a kernel crash (kernel BUG). Specifically, the skb_push() function panics because there is insufficient headroom in the skb to add the HSR tag. This happens when a corrupted HSR frame with an incomplete tag is processed, leading to a crash in the network bridge code. The issue was fixed by dropping frames that are too short to contain both Ethernet and HSR headers, preventing the crash.

How can this vulnerability impact me? :

This vulnerability can cause the Linux kernel to crash when it processes corrupted HSR frames with insufficient space for the HSR tag. Such a crash results in a kernel panic, leading to a denial of service (DoS) condition where the affected system becomes unstable or unresponsive until rebooted. This can disrupt network operations and affect system availability.

How can this vulnerability be detected on my network or system? Can you suggest some commands?

This vulnerability can be detected by monitoring the system logs for kernel panic messages related to skb_under_panic or kernel BUG in net/core/skbuff.c. Specifically, look for messages indicating a crash caused by receiving HSR frames with insufficient space to hold the HSR tag in the skb. Commands such as 'dmesg | grep skb_under_panic' or 'journalctl -k | grep skb_under_panic' can help identify these kernel panic logs.

What immediate steps should I take to mitigate this vulnerability?

Immediate mitigation steps include updating the Linux kernel to a version where this vulnerability is fixed. The fix involves dropping and consuming frames that are not long enough to contain both ethernet and HSR headers, preventing the kernel panic. Until the update is applied, monitoring and filtering corrupted HSR frames on the network or disabling HSR functionality if not needed can reduce exposure.

Ask Our AI Assistant

Need more information? Ask your question to get an AI reply (Powered by our expertise)

0/70

CVE-2025-39703

BaseFortify

Description

CVSS Scores

EPSS Scores

Meta Information

Affected Vendors & Products

Helpful Resources

Exploitability

Attack-Flow Graph

AI Powered Q&A

Ask Our AI Assistant

EPSS Chart