CVE-2025-38377

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> rose: fix dangling neighbour pointers in rose_rt_device_down()<br /> <br /> There are two bugs in rose_rt_device_down() that can cause<br /> use-after-free:<br /> <br /> 1. The loop bound `t-&gt;count` is modified within the loop, which can<br /> cause the loop to terminate early and miss some entries.<br /> <br /> 2. When removing an entry from the neighbour array, the subsequent entries<br /> are moved up to fill the gap, but the loop index `i` is still<br /> incremented, causing the next entry to be skipped.<br /> <br /> For example, if a node has three neighbours (A, A, B) with count=3 and A<br /> is being removed, the second A is not checked.<br /> <br /> i=0: (A, A, B) -&gt; (A, B) with count=2<br /> ^ checked<br /> i=1: (A, B) -&gt; (A, B) with count=2<br /> ^ checked (B, not A!)<br /> i=2: (doesn&amp;#39;t occur because i