CVE-2025-38184

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> tipc: fix null-ptr-deref when acquiring remote ip of ethernet bearer<br /> <br /> The reproduction steps:<br /> 1. create a tun interface<br /> 2. enable l2 bearer<br /> 3. TIPC_NL_UDP_GET_REMOTEIP with media name set to tun<br /> <br /> tipc: Started in network mode<br /> tipc: Node identity 8af312d38a21, cluster identity 4711<br /> tipc: Enabled bearer , priority 1<br /> Oops: general protection fault<br /> KASAN: null-ptr-deref in range<br /> CPU: 1 UID: 1000 PID: 559 Comm: poc Not tainted 6.16.0-rc1+ #117 PREEMPT<br /> Hardware name: QEMU Ubuntu 24.04 PC<br /> RIP: 0010:tipc_udp_nl_dump_remoteip+0x4a4/0x8f0<br /> <br /> the ub was in fact a struct dev.<br /> <br /> when bid != 0 &amp;&amp; skip_cnt != 0, bearer_list[bid] may be NULL or<br /> other media when other thread changes it.<br /> <br /> fix this by checking media_id.