CVE-2025-39848

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2025-39848
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-39848.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2025-39848
Downstream
Related
Published
2025-09-19T15:26:21.403Z
Modified
2026-03-13T04:00:49.081246Z
Summary
ax25: properly unshare skbs in ax25_kiss_rcv()
Details

In the Linux kernel, the following vulnerability has been resolved:

ax25: properly unshare skbs in ax25kissrcv()

Bernard Pidoux reported a regression apparently caused by commit c353e8983e0d ("net: introduce per netns packet chains").

skb->dev becomes NULL and we crash in _netifreceiveskbcore().

Before above commit, different kind of bugs or corruptions could happen without a major crash.

But the root cause is that ax25kissrcv() can queue/mangle input skb without checking if this skb is shared or not.

Many thanks to Bernard Pidoux for his help, diagnosis and tests.

We had a similar issue years ago fixed with commit 7aaed57c5c28 ("phonet: properly unshare skbs in phonet_rcv()").

Database specific 
{
    "cna_assigner": "Linux",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/39xxx/CVE-2025-39848.json"
}
References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Fixed
42b46684e2c78ee052d8c2ee8d9c2089233c9094
Fixed
5b079be1b9da49ad88fc304c874d4be7085f7883
Fixed
2bd0f67212908243ce88e35bf69fa77155b47b14
Fixed
01a2984cb803f2d487b7074f9718db2bf3531f69
Fixed
7d449b7a6c8ee434d10a483feed7c5c50108cf56
Fixed
89064cf534bea4bb28c83fe6bbb26657b19dd5fe
Fixed
b1c71d674a308d2fbc83efcf88bfc4217a86aa17
Fixed
8156210d36a43e76372312c87eb5ea3dbb405a85

Database specific

source 
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-39848.json"