CVE-2025-39867

Severity CVSS v4.0:

Pending analysis

Type:

Unavailable / Other

Publication date:

23/09/2025

Last modified:

24/09/2025

Description

In the Linux kernel, the following vulnerability has been resolved: netfilter: nft_set_pipapo: fix null deref for empty set Blamed commit broke the check for a null scratch map: - if (unlikely(!m || !*raw_cpu_ptr(m->scratch))) + if (unlikely(!raw_cpu_ptr(m->scratch))) This should have been "if (!*raw_ ...)". Use the pattern of the avx2 version which is more readable. This can only be reproduced if avx2 support isn&#39;t available.

Impact

References to Advisories, Solutions, and Tools

https://git.kernel.org/stable/c/30c1d25b9870d551be42535067d5481668b5e6f3
https://git.kernel.org/stable/c/44b2be6d5994ddf07ecc86c01d3279bfa13e9ef6
https://git.kernel.org/stable/c/51a321b480d1e753667f6aea497312461563f9fe