Bug 2395782 (CVE-2025-39827) - CVE-2025-39827 kernel: net: rose: include node references in rose_neigh refcount
Summary: CVE-2025-39827 kernel: net: rose: include node references in rose_neigh refcount
Keywords:
Status: NEW
Alias: CVE-2025-39827
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
unspecified
unspecified
Target Milestone: ---
Assignee: Product Security DevOps Team
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2025-09-16 14:02 UTC by OSIDB Bzimport
Modified: 2025-11-26 09:38 UTC (History)
0 users

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)

Description OSIDB Bzimport 2025-09-16 14:02:12 UTC 
In the Linux kernel, the following vulnerability has been resolved:

net: rose: include node references in rose_neigh refcount

Current implementation maintains two separate reference counting
mechanisms: the 'count' field in struct rose_neigh tracks references from
rose_node structures, while the 'use' field (now refcount_t) tracks
references from rose_sock.

This patch merges these two reference counting systems using 'use' field
for proper reference management. Specifically, this patch adds incrementing
and decrementing of rose_neigh->use when rose_neigh->count is incremented
or decremented.

This patch also modifies rose_rt_free(), rose_rt_device_down() and
rose_clear_route() to properly release references to rose_neigh objects
before freeing a rose_node through rose_remove_node().

These changes ensure rose_neigh structures are properly freed only when
all references, including those from rose_node structures, are released.
As a result, this resolves a slab-use-after-free issue reported by Syzbot.
Comment 1 Keith Grant 2025-09-16 16:33:27 UTC 
Upstream advisory:
https://lore.kernel.org/linux-cve-announce/2025091617-CVE-2025-39827-0c7c@gregkh/T
Note You need to log in before you can comment on or make changes to this bug.