CVE-2025-38470
Severity CVSS v4.0:
Pending analysis
Type:
Unavailable / Other
Publication date:
28/07/2025
Last modified:
12/05/2026
Description
In the Linux kernel, the following vulnerability has been resolved:<br />
<br />
net: vlan: fix VLAN 0 refcount imbalance of toggling filtering during runtime<br />
<br />
Assuming the "rx-vlan-filter" feature is enabled on a net device, the<br />
8021q module will automatically add or remove VLAN 0 when the net device<br />
is put administratively up or down, respectively. There are a couple of<br />
problems with the above scheme.<br />
<br />
The first problem is a memory leak that can happen if the "rx-vlan-filter"<br />
feature is disabled while the device is running:<br />
<br />
# ip link add bond1 up type bond mode 0<br />
# ethtool -K bond1 rx-vlan-filter off<br />
# ip link del dev bond1<br />
<br />
When the device is put administratively down the "rx-vlan-filter"<br />
feature is disabled, so the 8021q module will not remove VLAN 0 and the<br />
memory will be leaked [1].<br />
<br />
Another problem that can happen is that the kernel can automatically<br />
delete VLAN 0 when the device is put administratively down despite not<br />
adding it when the device was put administratively up since during that<br />
time the "rx-vlan-filter" feature was disabled. null-ptr-unref or<br />
bug_on[2] will be triggered by unregister_vlan_dev() for refcount<br />
imbalance if toggling filtering during runtime:<br />
<br />
$ ip link add bond0 type bond mode 0<br />
$ ip link add link bond0 name vlan0 type vlan id 0 protocol 802.1q<br />
$ ethtool -K bond0 rx-vlan-filter off<br />
$ ifconfig bond0 up<br />
$ ethtool -K bond0 rx-vlan-filter on<br />
$ ifconfig bond0 down<br />
$ ip link del vlan0<br />
<br />
Root cause is as below:<br />
step1: add vlan0 for real_dev, such as bond, team.<br />
register_vlan_dev<br />
vlan_vid_add(real_dev,htons(ETH_P_8021Q),0) //refcnt=1<br />
step2: disable vlan filter feature and enable real_dev<br />
step3: change filter from 0 to 1<br />
vlan_device_event<br />
vlan_filter_push_vids<br />
ndo_vlan_rx_add_vid //No refcnt added to real_dev vlan0<br />
step4: real_dev down<br />
vlan_device_event<br />
vlan_vid_del(dev, htons(ETH_P_8021Q), 0); //refcnt=0<br />
vlan_info_rcu_free //free vlan0<br />
step5: delete vlan0<br />
unregister_vlan_dev<br />
BUG_ON(!vlan_info); //vlan_info is null<br />
<br />
Fix both problems by noting in the VLAN info whether VLAN 0 was<br />
automatically added upon NETDEV_UP and based on that decide whether it<br />
should be deleted upon NETDEV_DOWN, regardless of the state of the<br />
"rx-vlan-filter" feature.<br />
<br />
[1]<br />
unreferenced object 0xffff8880068e3100 (size 256):<br />
comm "ip", pid 384, jiffies 4296130254<br />
hex dump (first 32 bytes):<br />
00 20 30 0d 80 88 ff ff 00 00 00 00 00 00 00 00 . 0.............<br />
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................<br />
backtrace (crc 81ce31fa):<br />
__kmalloc_cache_noprof+0x2b5/0x340<br />
vlan_vid_add+0x434/0x940<br />
vlan_device_event.cold+0x75/0xa8<br />
notifier_call_chain+0xca/0x150<br />
__dev_notify_flags+0xe3/0x250<br />
rtnl_configure_link+0x193/0x260<br />
rtnl_newlink_create+0x383/0x8e0<br />
__rtnl_newlink+0x22c/0xa40<br />
rtnl_newlink+0x627/0xb00<br />
rtnetlink_rcv_msg+0x6fb/0xb70<br />
netlink_rcv_skb+0x11f/0x350<br />
netlink_unicast+0x426/0x710<br />
netlink_sendmsg+0x75a/0xc20<br />
__sock_sendmsg+0xc1/0x150<br />
____sys_sendmsg+0x5aa/0x7b0<br />
___sys_sendmsg+0xfc/0x180<br />
<br />
[2]<br />
kernel BUG at net/8021q/vlan.c:99!<br />
Oops: invalid opcode: 0000 [#1] SMP KASAN PTI<br />
CPU: 0 UID: 0 PID: 382 Comm: ip Not tainted 6.16.0-rc3 #61 PREEMPT(voluntary)<br />
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996),<br />
BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014<br />
RIP: 0010:unregister_vlan_dev (net/8021q/vlan.c:99 (discriminator 1))<br />
RSP: 0018:ffff88810badf310 EFLAGS: 00010246<br />
RAX: 0000000000000000 RBX: ffff88810da84000 RCX: ffffffffb47ceb9a<br />
RDX: dffffc0000000000 RSI: 0000000000000008 RDI: ffff88810e8b43c8<br />
RBP: 0000000000000000 R08: 0000000000000000 R09: fffffbfff6cefe80<br />
R10: ffffffffb677f407 R11: ffff88810badf3c0 R12: ffff88810e8b4000<br />
R13: 0000000000000000 R14: ffff88810642a5c0 R15: 000000000000017e<br />
FS: 00007f1ff68c20c0(0000) GS:ffff888163a24000(0000) knlGS:0000000000000000<br />
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033<br />
CR2: 00007f1ff5dad240 CR3: 0000000107e56000 CR4: 00000000000006f0<br />
Call Trace:<br />
Impact
Base Score 3.x
5.50
Severity 3.x
MEDIUM
Vulnerable products and versions
| CPE | From | Up to |
|---|---|---|
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 2.6.36 (including) | 5.4.297 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 5.5 (including) | 5.10.241 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 5.11 (including) | 5.15.190 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 5.16 (including) | 6.1.147 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 6.2 (including) | 6.6.100 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 6.7 (including) | 6.12.40 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 6.13 (including) | 6.15.8 (excluding) |
| cpe:2.3:o:linux:linux_kernel:6.16:rc1:*:*:*:*:*:* | ||
| cpe:2.3:o:linux:linux_kernel:6.16:rc2:*:*:*:*:*:* | ||
| cpe:2.3:o:linux:linux_kernel:6.16:rc3:*:*:*:*:*:* | ||
| cpe:2.3:o:linux:linux_kernel:6.16:rc4:*:*:*:*:*:* | ||
| cpe:2.3:o:linux:linux_kernel:6.16:rc5:*:*:*:*:*:* | ||
| cpe:2.3:o:linux:linux_kernel:6.16:rc6:*:*:*:*:*:* | ||
| cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:* |
To consult the complete list of CPE names with products and versions, see this page
References to Advisories, Solutions, and Tools
- https://git.kernel.org/stable/c/047b61a24d7c866c502aeeea482892969a68f216
- https://git.kernel.org/stable/c/35142b3816832889e50164d993018ea5810955ae
- https://git.kernel.org/stable/c/579d4f9ca9a9a605184a9b162355f6ba131f678d
- https://git.kernel.org/stable/c/8984bcbd1edf5bee5be06ad771d157333b790c33
- https://git.kernel.org/stable/c/93715aa2d80e6c5cea1bb486321fc4585076928b
- https://git.kernel.org/stable/c/ba48d3993af23753e1f1f01c8d592de9c7785f24
- https://git.kernel.org/stable/c/bb515c41306454937464da055609b5fb0a27821b
- https://git.kernel.org/stable/c/d43ef15bf4856c8c4c6c3572922331a5f06deb77
- https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html
- https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html
- https://cert-portal.siemens.com/productcert/html/ssa-082556.html