Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

CVE-2025-38638

Severity CVSS v4.0:
Pending analysis
Type:
Unavailable / Other
Publication date:
22/08/2025
Last modified:
26/11/2025

Description

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> ipv6: add a retry logic in net6_rt_notify()<br /> <br /> inet6_rt_notify() can be called under RCU protection only.<br /> This means the route could be changed concurrently<br /> and rt6_fill_node() could return -EMSGSIZE.<br /> <br /> Re-size the skb when this happens and retry, removing<br /> one WARN_ON() that syzbot was able to trigger:<br /> <br /> WARNING: CPU: 3 PID: 6291 at net/ipv6/route.c:6342 inet6_rt_notify+0x475/0x4b0 net/ipv6/route.c:6342<br /> Modules linked in:<br /> CPU: 3 UID: 0 PID: 6291 Comm: syz.0.77 Not tainted 6.16.0-rc7-syzkaller #0 PREEMPT(full)<br /> Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014<br /> RIP: 0010:inet6_rt_notify+0x475/0x4b0 net/ipv6/route.c:6342<br /> Code: fc ff ff e8 6d 52 ea f7 e9 47 fc ff ff 48 8b 7c 24 08 4c 89 04 24 e8 5a 52 ea f7 4c 8b 04 24 e9 94 fd ff ff e8 9c fe 84 f7 90 0b 90 e9 bd fd ff ff e8 6e 52 ea f7 e9 bb fb ff ff 48 89 df e8<br /> RSP: 0018:ffffc900035cf1d8 EFLAGS: 00010293<br /> RAX: 0000000000000000 RBX: ffffc900035cf540 RCX: ffffffff8a36e790<br /> RDX: ffff88802f7e8000 RSI: ffffffff8a36e9d4 RDI: 0000000000000005<br /> RBP: ffff88803c230f00 R08: 0000000000000005 R09: 00000000ffffffa6<br /> R10: 00000000ffffffa6 R11: 0000000000000001 R12: 00000000ffffffa6<br /> R13: 0000000000000900 R14: ffff888032ea4100 R15: 0000000000000000<br /> FS: 00007fac7b89a6c0(0000) GS:ffff8880d6a20000(0000) knlGS:0000000000000000<br /> CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033<br /> CR2: 00007fac7b899f98 CR3: 0000000034b3f000 CR4: 0000000000352ef0<br /> Call Trace:<br /> <br /> ip6_route_mpath_notify+0xde/0x280 net/ipv6/route.c:5356<br /> ip6_route_multipath_add+0x1181/0x1bd0 net/ipv6/route.c:5536<br /> inet6_rtm_newroute+0xe4/0x1a0 net/ipv6/route.c:5647<br /> rtnetlink_rcv_msg+0x95e/0xe90 net/core/rtnetlink.c:6944<br /> netlink_rcv_skb+0x155/0x420 net/netlink/af_netlink.c:2552<br /> netlink_unicast_kernel net/netlink/af_netlink.c:1320 [inline]<br /> netlink_unicast+0x58d/0x850 net/netlink/af_netlink.c:1346<br /> netlink_sendmsg+0x8d1/0xdd0 net/netlink/af_netlink.c:1896<br /> sock_sendmsg_nosec net/socket.c:712 [inline]<br /> __sock_sendmsg net/socket.c:727 [inline]<br /> ____sys_sendmsg+0xa95/0xc70 net/socket.c:2566<br /> ___sys_sendmsg+0x134/0x1d0 net/socket.c:2620

Impact

Vector 3.x
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVSS v3.1 Severity and Metrics:

Base Score: 5.50 MEDIUM
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Attack Vector (AV): Local
Attack Complexity (AC): Low
Privileges Required (PR): Low
User Interaction (UI): None
Scope (S): Unchanged
Confidentiality (C): None
Integrity (I): None
Availability (A): High

Base Score 3.x
5.50
Severity 3.x
MEDIUM

Vulnerable products and versions

CPE From Up to
cpe:2.3:o:linux:linux_kernel:6.16:*:*:*:*:*:*:*

To consult the complete list of CPE names with products and versions, see this page


References to Advisories, Solutions, and Tools