CVE Catalog

CVE-2025-39827

MediumCVSS 5.5
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.13%

3th percentile - higher than 3% of all known CVEs

Summary

In the Linux kernel's ROSE (X.25 network) subsystem, a vulnerability was found due to incorrect reference counting in rose_neigh structures. Separate counters for nodes and sockets caused premature memory freeing, leading to a use-after-free condition. The patch merges both counters into one, ensuring proper deallocation only after all references are released.

Risk Assessment

The vulnerability could be exploited to achieve remote code execution or system crash (kernel panic) by sending specially crafted network packets to a system with the ROSE protocol enabled. The risk is particularly significant in carrier-grade and industrial environments using X.25 networks.

Recommendation

Immediately update the Linux kernel to a version containing the fix (commit 8b3b5a2c7b9f or later). If updating is not possible, temporarily disable the ROSE protocol (modprobe -r rose) or block traffic on TCP ports 200/201.

Original NVD description (English source)

In the Linux kernel, the following vulnerability has been resolved: net: rose: include node references in rose_neigh refcount Current implementation maintains two separate reference counting mechanisms: the 'count' field in struct rose_neigh tracks references from rose_node structures, while the 'use' field (now refcount_t) tracks references from rose_sock. This patch merges these two reference counting systems using 'use' field for proper reference management. Specifically, this patch adds incrementing and decrementing of rose_neigh->use when rose_neigh->count is incremented or decremented. This patch also modifies rose_rt_free(), rose_rt_device_down() and rose_clear_route() to properly release references to rose_neigh objects before freeing a rose_node through rose_remove_node(). These changes ensure rose_neigh structures are properly freed only when all references, including those from rose_node structures, are released. As a result, this resolves a slab-use-after-free issue reported by Syzbot.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS