CVE-2025-39850
- Source
- https://nvd.nist.gov/vuln/detail/CVE-2025-39850
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-39850.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2025-39850
- Downstream
- Published
- 2025-09-19T15:26:22Z
- Modified
- 2025-10-16T05:22:16.783137Z
- Summary
- vxlan: Fix NPD in {arp,neigh}_reduce() when using nexthop objects
- Details
-
In the Linux kernel, the following vulnerability has been resolved:
vxlan: Fix NPD in {arp,neigh}_reduce() when using nexthop objects
When the "proxy" option is enabled on a VXLAN device, the device will suppress ARP requests and IPv6 Neighbor Solicitation messages if it is able to reply on behalf of the remote host. That is, if a matching and valid neighbor entry is configured on the VXLAN device whose MAC address is not behind the "any" remote (0.0.0.0 / ::).
The code currently assumes that the FDB entry for the neighbor's MAC address points to a valid remote destination, but this is incorrect if the entry is associated with an FDB nexthop group. This can result in a NPD [1][3] which can be reproduced using [2][4].
Fix by checking that the remote destination exists before dereferencing it.
[1] BUG: kernel NULL pointer dereference, address: 0000000000000000 [...] CPU: 4 UID: 0 PID: 365 Comm: arping Not tainted 6.17.0-rc2-virtme-g2a89cb21162c #2 PREEMPT(voluntary) Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.17.0-4.fc41 04/01/2014 RIP: 0010:vxlanxmit+0xb58/0x15f0 [...] Call Trace: <TASK> devhardstartxmit+0x5d/0x1c0 _devqueuexmit+0x246/0xfd0 packetsendmsg+0x113a/0x1850 _socksendmsg+0x38/0x70 _syssendto+0x126/0x180 _x64syssendto+0x24/0x30 dosyscall64+0xa4/0x260 entrySYSCALL64after_hwframe+0x4b/0x53
[2] #!/bin/bash
ip address add 192.0.2.1/32 dev lo
ip nexthop add id 1 via 192.0.2.2 fdb ip nexthop add id 10 group 1 fdb
ip link add name vx0 up type vxlan id 10010 local 192.0.2.1 dstport 4789 proxy
ip neigh add 192.0.2.3 lladdr 00:11:22:33:44:55 nud perm dev vx0
bridge fdb add 00:11:22:33:44:55 dev vx0 self static nhid 10
arping -b -c 1 -s 192.0.2.1 -I vx0 192.0.2.3
[3] BUG: kernel NULL pointer dereference, address: 0000000000000000 [...] CPU: 13 UID: 0 PID: 372 Comm: ndisc6 Not tainted 6.17.0-rc2-virtmne-g6ee90cb26014 #3 PREEMPT(voluntary) Hardware name: QEMU Standard PC (i440FX + PIIX, 1v996), BIOS 1.17.0-4.fc41 04/01/2x014 RIP: 0010:vxlanxmit+0x803/0x1600 [...] Call Trace: <TASK> devhardstartxmit+0x5d/0x1c0 _devqueuexmit+0x246/0xfd0 ip6finishoutput2+0x210/0x6c0 ip6finishoutput+0x1af/0x2b0 ip6mroutput+0x92/0x3e0 ip6sendskb+0x30/0x90 rawv6sendmsg+0xe6e/0x12e0 _socksendmsg+0x38/0x70 _syssendto+0x126/0x180 _x64syssendto+0x24/0x30 dosyscall64+0xa4/0x260 entrySYSCALL64after_hwframe+0x4b/0x53 RIP: 0033:0x7f383422ec77
[4] #!/bin/bash
ip address add 2001:db8:1::1/128 dev lo
ip nexthop add id 1 via 2001:db8:1::1 fdb ip nexthop add id 10 group 1 fdb
ip link add name vx0 up type vxlan id 10010 local 2001:db8:1::1 dstport 4789 proxy
ip neigh add 2001:db8:1::3 lladdr 00:11:22:33:44:55 nud perm dev vx0
bridge fdb add 00:11:22:33:44:55 dev vx0 self static nhid 10
ndisc6 -r 1 -s 2001:db8:1::1 -w 1 2001:db8:1::3 vx0
- References
Affected packages
Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Affected ranges
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introduced1274e1cc42264d4e629841e4f182795cb0becfd2Fixede211e3f4199ac829bd493632efcd131d337cba9d
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introduced1274e1cc42264d4e629841e4f182795cb0becfd2Fixed8cfa0f076842f9b3b4eb52ae0e41d16e25cbf8fa
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introduced1274e1cc42264d4e629841e4f182795cb0becfd2Fixed1f5d2fd1ca04a23c18b1bde9a43ce2fa2ffa1bce