CVE-2025-22005

ipv6: Fix memleak of nhc_pcpu_rth_output in fib_check_nh_v6_gw().

Severity Score

5.5

*CVSS v3

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

In the Linux kernel, the following vulnerability has been resolved: ipv6: Fix memleak of nhc_pcpu_rth_output in fib_check_nh_v6_gw(). fib_check_nh_v6_gw() expects that fib6_nh_init() cleans up everything
when it fails. Commit 7dd73168e273 ("ipv6: Always allocate pcpu memory in a fib6_nh")
moved fib_nh_common_init() before alloc_percpu_gfp() within fib6_nh_init()
but forgot to add cleanup for fib6_nh->nh_common.nhc_pcpu_rth_output in
case it fails to allocate fib6_nh->rt6i_pcpu, resulting in memleak. Let's call fib_nh_common_release() and clear nhc_pcpu_rth_output in the
error path. Note that we can remove the fib6_nh_release() call in nh_create_ipv6()
later in net-next.git.

In the Linux kernel, the following vulnerability has been resolved: ipv6: Fix memleak of nhc_pcpu_rth_output in fib_check_nh_v6_gw(). fib_check_nh_v6_gw() expects that fib6_nh_init() cleans up everything when it fails. Commit 7dd73168e273 ("ipv6: Always allocate pcpu memory in a fib6_nh") moved fib_nh_common_init() before alloc_percpu_gfp() within fib6_nh_init() but forgot to add cleanup for fib6_nh->nh_common.nhc_pcpu_rth_output in case it fails to allocate fib6_nh->rt6i_pcpu, resulting in memleak. Let's call fib_nh_common_release() and clear nhc_pcpu_rth_output in the error path. Note that we can remove the fib6_nh_release() call in nh_create_ipv6() later in net-next.git.

Michael Randrianantenaina discovered that the Bluetooth driver in the Linux Kernel contained an improper access control vulnerability. A nearby attacker could use this to connect a rougue device and possibly execute arbitrary code. It was discovered that the CIFS network file system implementation in the Linux kernel did not properly verify the target namespace when handling upcalls. An attacker could use this to expose sensitive information.

*Credits: N/A

Attack Vector

Local

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

Attack Vector

Local

Attack Complexity

Low

Authentication

None

Confidentiality

None

Integrity

None

Availability

Complete

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2024-12-29 CVE Reserved
2025-04-03 CVE Published
2025-05-04 CVE Updated
2025-06-10 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CAPEC

References (9)

URL	Tag	Source
https://git.kernel.org/stable/c/7dd73168e273938b9e9bb42ca51b0c27d807992b	Vuln. Introduced

URL	Date	SRC

URL	Date	SRC
https://git.kernel.org/stable/c/16267a5036173d0173377545b4b6021b081d0933	2025-04-10
https://git.kernel.org/stable/c/1bd12dfc058e1e68759d313d7727d68dbc1b8964	2025-04-10
https://git.kernel.org/stable/c/596a883c4ce2d2e9c175f25b98fed3a1f33fea38	2025-04-10
https://git.kernel.org/stable/c/77c41cdbe6bce476e08d3251c0d501feaf10a9f3	2025-03-28
https://git.kernel.org/stable/c/119dcafe36795a15ae53351cbbd6177aaf94ffef	2025-03-28
https://git.kernel.org/stable/c/29d91820184d5cbc70f3246d4911d96eaeb930d6	2025-03-28
https://git.kernel.org/stable/c/d3d5b4b5ae263c3225db363ba08b937e2e2b0380	2025-03-28
https://git.kernel.org/stable/c/9740890ee20e01f99ff1dde84c63dcf089fabb98	2025-03-18

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 5.3 < 5.4.292 Search vendor "Linux" for product "Linux Kernel" and version " >= 5.3 < 5.4.292"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 5.3 < 5.10.236 Search vendor "Linux" for product "Linux Kernel" and version " >= 5.3 < 5.10.236"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 5.3 < 5.15.180 Search vendor "Linux" for product "Linux Kernel" and version " >= 5.3 < 5.15.180"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 5.3 < 6.1.132 Search vendor "Linux" for product "Linux Kernel" and version " >= 5.3 < 6.1.132"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 5.3 < 6.6.85 Search vendor "Linux" for product "Linux Kernel" and version " >= 5.3 < 6.6.85"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 5.3 < 6.12.21 Search vendor "Linux" for product "Linux Kernel" and version " >= 5.3 < 6.12.21"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 5.3 < 6.13.9 Search vendor "Linux" for product "Linux Kernel" and version " >= 5.3 < 6.13.9"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 5.3 < 6.14 Search vendor "Linux" for product "Linux Kernel" and version " >= 5.3 < 6.14"		en		Affected