GHSA-XRJ4-4G3M-87PF

Vulnerability from github – Published: 2025-09-16 15:32 – Updated: 2026-05-12 15:31
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

net: rose: convert 'use' field to refcount_t

The 'use' field in struct rose_neigh is used as a reference counter but lacks atomicity. This can lead to race conditions where a rose_neigh structure is freed while still being referenced by other code paths.

For example, when rose_neigh->use becomes zero during an ioctl operation via rose_rt_ioctl(), the structure may be removed while its timer is still active, potentially causing use-after-free issues.

This patch changes the type of 'use' from unsigned short to refcount_t and updates all code paths to use rose_neigh_hold() and rose_neigh_put() which operate reference counts atomically.

Severity
7.0 (High)
CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
Show details on source website
To clipboard 

{
  "affected": [],
  "aliases": [
    "CVE-2025-39826"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-416"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-09-16T13:16:02Z",
    "severity": "HIGH"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: rose: convert \u0027use\u0027 field to refcount_t\n\nThe \u0027use\u0027 field in struct rose_neigh is used as a reference counter but\nlacks atomicity. This can lead to race conditions where a rose_neigh\nstructure is freed while still being referenced by other code paths.\n\nFor example, when rose_neigh-\u003euse becomes zero during an ioctl operation\nvia rose_rt_ioctl(), the structure may be removed while its timer is\nstill active, potentially causing use-after-free issues.\n\nThis patch changes the type of \u0027use\u0027 from unsigned short to refcount_t and\nupdates all code paths to use rose_neigh_hold() and rose_neigh_put() which\noperate reference counts atomically.",
  "id": "GHSA-xrj4-4g3m-87pf",
  "modified": "2026-05-12T15:31:08Z",
  "published": "2025-09-16T15:32:35Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-39826"
    },
    {
      "type": "WEB",
      "url": "https://cert-portal.siemens.com/productcert/html/ssa-032379.html"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/0085b250fcc79f900c82a69980ec2f3e1871823b"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/203e4f42596ede31498744018716a3db6dbb7f51"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/d860d1faa6b2ce3becfdb8b0c2b048ad31800061"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/f8c29fc437d03a98fb075c31c5be761cc8326284"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/fb07156cc0742ba4e93dfcc84280c011d05b301f"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.