CVE-2025-39980
Severity CVSS v4.0:
Pending analysis
Type:
Unavailable / Other
Publication date:
15/10/2025
Last modified:
16/10/2025
Description
In the Linux kernel, the following vulnerability has been resolved:<br />
<br />
nexthop: Forbid FDB status change while nexthop is in a group<br />
<br />
The kernel forbids the creation of non-FDB nexthop groups with FDB<br />
nexthops:<br />
<br />
# ip nexthop add id 1 via 192.0.2.1 fdb<br />
# ip nexthop add id 2 group 1<br />
Error: Non FDB nexthop group cannot have fdb nexthops.<br />
<br />
And vice versa:<br />
<br />
# ip nexthop add id 3 via 192.0.2.2 dev dummy1<br />
# ip nexthop add id 4 group 3 fdb<br />
Error: FDB nexthop group can only have fdb nexthops.<br />
<br />
However, as long as no routes are pointing to a non-FDB nexthop group,<br />
the kernel allows changing the type of a nexthop from FDB to non-FDB and<br />
vice versa:<br />
<br />
# ip nexthop add id 5 via 192.0.2.2 dev dummy1<br />
# ip nexthop add id 6 group 5<br />
# ip nexthop replace id 5 via 192.0.2.2 fdb<br />
# echo $?<br />
0<br />
<br />
This configuration is invalid and can result in a NPD [1] since FDB<br />
nexthops are not associated with a nexthop device:<br />
<br />
# ip route add 198.51.100.1/32 nhid 6<br />
# ping 198.51.100.1<br />
<br />
Fix by preventing nexthop FDB status change while the nexthop is in a<br />
group:<br />
<br />
# ip nexthop add id 7 via 192.0.2.2 dev dummy1<br />
# ip nexthop add id 8 group 7<br />
# ip nexthop replace id 7 via 192.0.2.2 fdb<br />
Error: Cannot change nexthop FDB status while in a group.<br />
<br />
[1]<br />
BUG: kernel NULL pointer dereference, address: 00000000000003c0<br />
[...]<br />
Oops: Oops: 0000 [#1] SMP<br />
CPU: 6 UID: 0 PID: 367 Comm: ping Not tainted 6.17.0-rc6-virtme-gb65678cacc03 #1 PREEMPT(voluntary)<br />
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.17.0-4.fc41 04/01/2014<br />
RIP: 0010:fib_lookup_good_nhc+0x1e/0x80<br />
[...]<br />
Call Trace:<br />
<br />
fib_table_lookup+0x541/0x650<br />
ip_route_output_key_hash_rcu+0x2ea/0x970<br />
ip_route_output_key_hash+0x55/0x80<br />
__ip4_datagram_connect+0x250/0x330<br />
udp_connect+0x2b/0x60<br />
__sys_connect+0x9c/0xd0<br />
__x64_sys_connect+0x18/0x20<br />
do_syscall_64+0xa4/0x2a0<br />
entry_SYSCALL_64_after_hwframe+0x4b/0x53
Impact
References to Advisories, Solutions, and Tools
- https://git.kernel.org/stable/c/0e7bfe7a268ccbd7859730c529161cafbf44637c
- https://git.kernel.org/stable/c/24046d31f6f92220852d393d510b6062843e3fbd
- https://git.kernel.org/stable/c/390b3a300d7872cef9588f003b204398be69ce08
- https://git.kernel.org/stable/c/8dd4aa0122885f710930de135af2adc4ccc3238f
- https://git.kernel.org/stable/c/e1e87ac0daacd51f522ecd1645cd76b5809303ed
- https://git.kernel.org/stable/c/ec428fff792b7bd15b248dafca2e654b666b1304
- https://git.kernel.org/stable/c/f0e49fd13afe9dea7a09a1c9537fd00cea22badb