CVE-2025-22103
Severity CVSS v4.0:
Pending analysis
Type:
CWE-476
NULL Pointer Dereference
Publication date:
16/04/2025
Last modified:
24/11/2025
Description
In the Linux kernel, the following vulnerability has been resolved:<br />
<br />
net: fix NULL pointer dereference in l3mdev_l3_rcv<br />
<br />
When delete l3s ipvlan:<br />
<br />
ip link del link eth0 ipvlan1 type ipvlan mode l3s<br />
<br />
This may cause a null pointer dereference:<br />
<br />
Call trace:<br />
ip_rcv_finish+0x48/0xd0<br />
ip_rcv+0x5c/0x100<br />
__netif_receive_skb_one_core+0x64/0xb0<br />
__netif_receive_skb+0x20/0x80<br />
process_backlog+0xb4/0x204<br />
napi_poll+0xe8/0x294<br />
net_rx_action+0xd8/0x22c<br />
__do_softirq+0x12c/0x354<br />
<br />
This is because l3mdev_l3_rcv() visit dev->l3mdev_ops after<br />
ipvlan_l3s_unregister() assign the dev->l3mdev_ops to NULL. The process<br />
like this:<br />
<br />
(CPU1) | (CPU2)<br />
l3mdev_l3_rcv() |<br />
check dev->priv_flags: |<br />
master = skb->dev; |<br />
|<br />
| ipvlan_l3s_unregister()<br />
| set dev->priv_flags<br />
| dev->l3mdev_ops = NULL;<br />
|<br />
visit master->l3mdev_ops |<br />
<br />
To avoid this by do not set dev->l3mdev_ops when unregister l3s ipvlan.
Impact
Base Score 3.x
5.50
Severity 3.x
MEDIUM
Vulnerable products and versions
| CPE | From | Up to |
|---|---|---|
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 5.1 (including) | 6.12.46 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 6.13 (including) | 6.14.2 (excluding) |
To consult the complete list of CPE names with products and versions, see this page