Bug 2390409 (CVE-2025-38665) - CVE-2025-38665 kernel: can: netlink: can_changelink(): fix NULL pointer deref of struct can_priv::do_set_mode
Summary: CVE-2025-38665 kernel: can: netlink: can_changelink(): fix NULL pointer deref...
Keywords:
Status: NEW
Alias: CVE-2025-38665
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Product Security DevOps Team
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2025-08-22 17:05 UTC by OSIDB Bzimport
Modified: 2025-08-22 17:17 UTC (History)
0 users

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)

Description OSIDB Bzimport 2025-08-22 17:05:21 UTC 
In the Linux kernel, the following vulnerability has been resolved:

can: netlink: can_changelink(): fix NULL pointer deref of struct can_priv::do_set_mode

Andrei Lalaev reported a NULL pointer deref when a CAN device is
restarted from Bus Off and the driver does not implement the struct
can_priv::do_set_mode callback.

There are 2 code path that call struct can_priv::do_set_mode:
- directly by a manual restart from the user space, via
  can_changelink()
- delayed automatic restart after bus off (deactivated by default)

To prevent the NULL pointer deference, refuse a manual restart or
configure the automatic restart delay in can_changelink() and report
the error via extack to user space.

As an additional safety measure let can_restart() return an error if
can_priv::do_set_mode is not set instead of dereferencing it
unchecked.
Comment 1 Keith Grant 2025-08-22 17:08:38 UTC 
Upstream advisory:
https://lore.kernel.org/linux-cve-announce/2025082259-CVE-2025-38665-29e2@gregkh/T
Note You need to log in before you can comment on or make changes to this bug.