DEBIAN-CVE-2025-39984

See a problem?
Please try reporting it to the source first.

Source

https://security-tracker.debian.org/tracker/CVE-2025-39984

Import Source

https://storage.googleapis.com/debian-osv/debian-cve-osv/DEBIAN-CVE-2025-39984.json

JSON Data

https://api.osv.dev/v1/vulns/DEBIAN-CVE-2025-39984

Upstream

CVE-2025-39984

Published

2025-10-15T08:15:36Z

Modified

2025-11-15T13:10:17.124266Z

Summary

[none]

Details

In the Linux kernel, the following vulnerability has been resolved: net: tun: Update napi->skb after XDP process The syzbot report a UAF issue: BUG: KASAN: slab-use-after-free in skbresetmacheader include/linux/skbuff.h:3150 [inline] BUG: KASAN: slab-use-after-free in napifragsskb net/core/gro.c:723 [inline] BUG: KASAN: slab-use-after-free in napigrofrags+0x6e/0x1030 net/core/gro.c:758 Read of size 8 at addr ffff88802ef22c18 by task syz.0.17/6079 CPU: 0 UID: 0 PID: 6079 Comm: syz.0.17 Not tainted syzkaller #0 PREEMPT(full) Call Trace: <TASK> dumpstacklvl+0x189/0x250 lib/dumpstack.c:120 printaddressdescription mm/kasan/report.c:378 [inline] printreport+0xca/0x240 mm/kasan/report.c:482 kasanreport+0x118/0x150 mm/kasan/report.c:595 skbresetmacheader include/linux/skbuff.h:3150 [inline] napifragsskb net/core/gro.c:723 [inline] napigrofrags+0x6e/0x1030 net/core/gro.c:758 tungetuser+0x28cb/0x3e20 drivers/net/tun.c:1920 tunchrwriteiter+0x113/0x200 drivers/net/tun.c:1996 newsyncwrite fs/readwrite.c:593 [inline] vfswrite+0x5c9/0xb30 fs/readwrite.c:686 ksyswrite+0x145/0x250 fs/readwrite.c:738 dosyscallx64 arch/x86/entry/syscall64.c:63 [inline] dosyscall64+0xfa/0x3b0 arch/x86/entry/syscall64.c:94 entrySYSCALL64afterhwframe+0x77/0x7f </TASK> Allocated by task 6079: kasansavestack mm/kasan/common.c:47 [inline] kasansavetrack+0x3e/0x80 mm/kasan/common.c:68 unpoisonslabobject mm/kasan/common.c:330 [inline] _kasanmempoolunpoisonobject+0xa0/0x170 mm/kasan/common.c:558 kasanmempoolunpoisonobject include/linux/kasan.h:388 [inline] napiskbcacheget+0x37b/0x6d0 net/core/skbuff.c:295 _allocskb+0x11e/0x2d0 net/core/skbuff.c:657 napiallocskb+0x84/0x7d0 net/core/skbuff.c:811 napigetfrags+0x69/0x140 net/core/gro.c:673 tunnapiallocfrags drivers/net/tun.c:1404 [inline] tungetuser+0x77c/0x3e20 drivers/net/tun.c:1784 tunchrwriteiter+0x113/0x200 drivers/net/tun.c:1996 newsyncwrite fs/readwrite.c:593 [inline] vfswrite+0x5c9/0xb30 fs/readwrite.c:686 ksyswrite+0x145/0x250 fs/readwrite.c:738 dosyscallx64 arch/x86/entry/syscall64.c:63 [inline] dosyscall64+0xfa/0x3b0 arch/x86/entry/syscall64.c:94 entrySYSCALL64afterhwframe+0x77/0x7f Freed by task 6079: kasansavestack mm/kasan/common.c:47 [inline] kasansavetrack+0x3e/0x80 mm/kasan/common.c:68 kasansavefreeinfo+0x46/0x50 mm/kasan/generic.c:576 poisonslabobject mm/kasan/common.c:243 [inline] _kasanslabfree+0x5b/0x80 mm/kasan/common.c:275 kasanslabfree include/linux/kasan.h:233 [inline] slabfreehook mm/slub.c:2422 [inline] slabfree mm/slub.c:4695 [inline] kmemcachefree+0x18f/0x400 mm/slub.c:4797 skbppcowdata+0xdd8/0x13e0 net/core/skbuff.c:969 netifskbcheckforxdp net/core/dev.c:5390 [inline] netifreceivegenericxdp net/core/dev.c:5431 [inline] doxdpgeneric+0x699/0x11a0 net/core/dev.c:5499 tungetuser+0x2523/0x3e20 drivers/net/tun.c:1872 tunchrwriteiter+0x113/0x200 drivers/net/tun.c:1996 newsyncwrite fs/readwrite.c:593 [inline] vfswrite+0x5c9/0xb30 fs/readwrite.c:686 ksyswrite+0x145/0x250 fs/readwrite.c:738 dosyscallx64 arch/x86/entry/syscall64.c:63 [inline] dosyscall64+0xfa/0x3b0 arch/x86/entry/syscall64.c:94 entrySYSCALL64afterhwframe+0x77/0x7f After commit e6d5dbdd20aa ("xdp: add multi-buff support for xdp running in generic mode"), the original skb may be freed in skbppcowdata() when XDP program was attached, which was allocated in tunnapialloc_frags(). However, the napi->skb still point to the original skb, update it after XDP process.

References

https://security-tracker.debian.org/tracker/CVE-2025-39984

Affected packages

Debian:13 / linux

Package

Name: linux
Purl: pkg:deb/debian/linux?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

6.12.57-1

Affected versions

6.*

6.12.38-1

6.12.41-1

6.12.43-1~bpo12+1

6.12.43-1

6.12.48-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:14 / linux

Package

Name: linux
Purl: pkg:deb/debian/linux?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

6.16.10-1

Affected versions

6.*

6.12.38-1

6.12.41-1

6.12.43-1~bpo12+1

6.12.43-1

6.12.48-1

6.12.57-1

6.13~rc6-1~exp1

6.13~rc7-1~exp1

6.13.2-1~exp1

6.13.3-1~exp1

6.13.4-1~exp1

6.13.5-1~exp1

6.13.6-1~exp1

6.13.7-1~exp1

6.13.8-1~exp1

6.13.9-1~exp1

6.13.10-1~exp1

6.13.11-1~exp1

6.14.3-1~exp1

6.14.5-1~exp1

6.14.6-1~exp1

6.15~rc7-1~exp1

6.15-1~exp1

6.15.1-1~exp1

6.15.2-1~exp1

6.15.3-1~exp1

6.15.4-1~exp1

6.15.5-1~exp1

6.15.6-1~exp1

6.16~rc7-1~exp1

6.16-1~exp1

6.16.1-1~exp1

6.16.3-1~bpo13+1

6.16.3-1

6.16.5-1

6.16.6-1

6.16.7-1

6.16.8-1

6.16.9-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}