CVE-2025-38472

{"id": "CVE-2025-38472", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.5, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 1.8}]}, "published": "2025-07-28T12:15:29.003", "references": [{"url": "https://git.kernel.org/stable/c/2d72afb340657f03f7261e9243b44457a9228ac7", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/76179961c423cd698080b5e4d5583cf7f4fcdde9", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/938ce0e8422d3793fe30df2ed0e37f6bc0598379", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/a47ef874189d47f934d0809ae738886307c0ea22", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/fc38c249c622ff5e3011b8845fd49dbfd9289afc", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html", "tags": ["Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-908"}]}], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nf_conntrack: fix crash due to removal of uninitialised entry\n\nA crash in conntrack was reported while trying to unlink the conntrack\nentry from the hash bucket list:\n [exception RIP: __nf_ct_delete_from_lists+172]\n [..]\n #7 [ff539b5a2b043aa0] nf_ct_delete at ffffffffc124d421 [nf_conntrack]\n #8 [ff539b5a2b043ad0] nf_ct_gc_expired at ffffffffc124d999 [nf_conntrack]\n #9 [ff539b5a2b043ae0] __nf_conntrack_find_get at ffffffffc124efbc [nf_conntrack]\n [..]\n\nThe nf_conn struct is marked as allocated from slab but appears to be in\na partially initialised state:\n\n ct hlist pointer is garbage; looks like the ct hash value\n (hence crash).\n ct->status is equal to IPS_CONFIRMED|IPS_DYING, which is expected\n ct->timeout is 30000 (=30s), which is unexpected.\n\nEverything else looks like normal udp conntrack entry. If we ignore\nct->status and pretend its 0, the entry matches those that are newly\nallocated but not yet inserted into the hash:\n - ct hlist pointers are overloaded and store/cache the raw tuple hash\n - ct->timeout matches the relative time expected for a new udp flow\n rather than the absolute 'jiffies' value.\n\nIf it were not for the presence of IPS_CONFIRMED,\n__nf_conntrack_find_get() would have skipped the entry.\n\nTheory is that we did hit following race:\n\ncpu x \t\t\tcpu y\t\t\tcpu z\n found entry E\t\tfound entry E\n E is expired\t\t<preemption>\n nf_ct_delete()\n return E to rcu slab\n\t\t\t\t\tinit_conntrack\n\t\t\t\t\tE is re-inited,\n\t\t\t\t\tct->status set to 0\n\t\t\t\t\treply tuplehash hnnode.pprev\n\t\t\t\t\tstores hash value.\n\ncpu y found E right before it was deleted on cpu x.\nE is now re-inited on cpu z. cpu y was preempted before\nchecking for expiry and/or confirm bit.\n\n\t\t\t\t\t->refcnt set to 1\n\t\t\t\t\tE now owned by skb\n\t\t\t\t\t->timeout set to 30000\n\nIf cpu y were to resume now, it would observe E as\nexpired but would skip E due to missing CONFIRMED bit.\n\n\t\t\t\t\tnf_conntrack_confirm gets called\n\t\t\t\t\tsets: ct->status |= CONFIRMED\n\t\t\t\t\tThis is wrong: E is not yet added\n\t\t\t\t\tto hashtable.\n\ncpu y resumes, it observes E as expired but CONFIRMED:\n\t\t\t<resumes>\n\t\t\tnf_ct_expired()\n\t\t\t -> yes (ct->timeout is 30s)\n\t\t\tconfirmed bit set.\n\ncpu y will try to delete E from the hashtable:\n\t\t\tnf_ct_delete() -> set DYING bit\n\t\t\t__nf_ct_delete_from_lists\n\nEven this scenario doesn't guarantee a crash:\ncpu z still holds the table bucket lock(s) so y blocks:\n\n\t\t\twait for spinlock held by z\n\n\t\t\t\t\tCONFIRMED is set but there is no\n\t\t\t\t\tguarantee ct will be added to hash:\n\t\t\t\t\t\"chaintoolong\" or \"clash resolution\"\n\t\t\t\t\tlogic both skip the insert step.\n\t\t\t\t\treply hnnode.pprev still stores the\n\t\t\t\t\thash value.\n\n\t\t\t\t\tunlocks spinlock\n\t\t\t\t\treturn NF_DROP\n\t\t\t<unblocks, then\n\t\t\t crashes on hlist_nulls_del_rcu pprev>\n\nIn case CPU z does insert the entry into the hashtable, cpu y will unlink\nE again right away but no crash occurs.\n\nWithout 'cpu y' race, 'garbage' hlist is of no consequence:\nct refcnt remains at 1, eventually skb will be free'd and E gets\ndestroyed via: nf_conntrack_put -> nf_conntrack_destroy -> nf_ct_destroy.\n\nTo resolve this, move the IPS_CONFIRMED assignment after the table\ninsertion but before the unlock.\n\nPablo points out that the confirm-bit-store could be reordered to happen\nbefore hlist add resp. the timeout fixup, so switch to set_bit and\nbefore_atomic memory barrier to prevent this.\n\nIt doesn't matter if other CPUs can observe a newly inserted entry right\nbefore the CONFIRMED bit was set:\n\nSuch event cannot be distinguished from above \"E is the old incarnation\"\ncase: the entry will be skipped.\n\nAlso change nf_ct_should_gc() to first check the confirmed bit.\n\nThe gc sequence is:\n 1. Check if entry has expired, if not skip to next entry\n 2. Obtain a reference to the expired entry.\n 3. Call nf_ct_should_gc() to double-check step 1.\n\nnf_ct_should_gc() is thus called only for entries that already failed an\nexpiry check. After this patch, once the confirmed bit check pas\n---truncated---"}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: netfilter: nf_conntrack: correcci\u00f3n de fallo debido a la eliminaci\u00f3n de una entrada no inicializada Se inform\u00f3 de un fallo en conntrack al intentar desvincular la entrada de conntrack de la lista de cubos hash: [exception RIP: __nf_ct_delete_from_lists+172] [..] #7 [ff539b5a2b043aa0] nf_ct_delete en ffffffffc124d421 [nf_conntrack] #8 [ff539b5a2b043ad0] nf_ct_gc_expired en ffffffffc124d999 [nf_conntrack] #9 [ff539b5a2b043ae0] __nf_conntrack_find_get en ffffffffc124efbc [nf_conntrack] [..] La estructura nf_conn est\u00e1 marcada como asignada desde slab, pero parece estar parcialmente inicializada: el puntero hlist ct es basura; parece el valor hash ct (de ah\u00ed el fallo). ct-&gt;status es igual a IPS_CONFIRMED|IPS_DYING, que es lo esperado ct-&gt;timeout es 30000 (=30 s), lo cual es inesperado. Todo lo dem\u00e1s parece una entrada conntrack udp normal. Si ignoramos ct-&gt;status y suponemos que es 0, la entrada coincide con las que se acaban de asignar pero que a\u00fan no se han insertado en el hash: - los punteros hlist ct est\u00e1n sobrecargados y almacenan/cachean el hash de la tupla sin procesar - ct-&gt;timeout coincide con el tiempo relativo esperado para un nuevo flujo udp en lugar del valor absoluto de 'jiffies'. Si no fuera por la presencia de IPS_CONFIRMED, __nf_conntrack_find_get() habr\u00eda omitido la entrada. La teor\u00eda es que alcanzamos la siguiente ejecuci\u00f3n: cpu x cpu y cpu z encontr\u00f3 la entrada E encontr\u00f3 la entrada EE est\u00e1 vencida nf_ct_delete() devuelve E a rcu slab init_conntrack E se reinicia, ct-&gt;status establecido en 0 respuesta tuplehash hnnode.pprev almacena el valor hash. cpu y encontr\u00f3 E justo antes de que se eliminara en la cpu x. E ahora se reinicia en la cpu z. La cpu y fue interrumpida antes de verificar la expiraci\u00f3n y/o el bit de confirmaci\u00f3n. -&gt;refcnt establecido en 1 E ahora es propiedad de skb -&gt;timeout establecido en 30000 Si la cpu y se reanudara ahora, observar\u00eda que E ha expirado, pero omitir\u00eda E debido a que falta el bit CONFIRMED. nf_conntrack_confirm se llama establece: ct-&gt;status |= CONFIRMED Esto es incorrecto: E a\u00fan no se agreg\u00f3 a la tabla hash. La CPU y se reanuda, observa que E ha expirado pero CONFIRMADO: nf_ct_expired() -&gt; s\u00ed (ct-&gt;el tiempo de espera es de 30 s) bit confirmado establecido. La CPU y intentar\u00e1 eliminar E de la tabla hash: nf_ct_delete() -&gt; establecer bit MORIR __nf_ct_delete_from_lists Incluso este escenario no garantiza un fallo: la CPU z a\u00fan mantiene el/los bloqueo(s) del dep\u00f3sito de la tabla, por lo que y bloquea: esperar a que z mantenga el bloqueo de giro CONFIRMADO est\u00e1 establecido, pero no hay garant\u00eda de que ct se agregue al hash: la l\u00f3gica \"chaintoolong\" o \"clash resolution\" omiten el paso de inserci\u00f3n. responder hnnode.pprev a\u00fan almacena el valor del hash. desbloquea el bloqueo de giro devolver NF_DROP En caso de que la CPU z inserte la entrada en la tabla hash, la CPU y desvincular\u00e1 E nuevamente de inmediato, pero no ocurre ning\u00fan fallo. Sin la ejecuci\u00f3n de la CPU y, la lista de memoria basura no tiene importancia: ct refcnt permanece en 1, skb se liberar\u00e1 y E se destruir\u00e1 mediante nf_conntrack_put -&gt; nf_conntrack_destroy -&gt; nf_ct_destroy. Para resolver esto, mueva la asignaci\u00f3n IPS_CONFIRMED despu\u00e9s de la inserci\u00f3n de la tabla, pero antes del desbloqueo. Pablo se\u00f1ala que el almacenamiento de bits de confirmaci\u00f3n podr\u00eda reordenarse para que ocurra antes de la adici\u00f3n de la lista de memoria o de la correcci\u00f3n del tiempo de espera, por lo que se debe cambiar a set_bit y a la barrera de memoria before_atomic para evitarlo. No importa si otras CPU pueden observar una entrada reci\u00e9n insertada justo antes de que se establezca el bit CONFIRMED: este evento no se distingue del caso anterior, \"E es la encarnaci\u00f3n anterior\": la entrada se omitir\u00e1. Tambi\u00e9n modifique nf_ct_should_gc() para que primero verifique el bit confirmado. La secuencia de gc es: 1. Verificar si la entrada ---truncado---"}], "lastModified": "2025-12-22T19:34:52.833", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "F281CADC-2716-4908-8E16-1F75CD012797", "versionEndExcluding": "6.1.147", "versionStartIncluding": "5.18.13"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "094B81E0-B756-4727-85CA-F3F8D1C9D116", "versionEndExcluding": "6.6.100", "versionStartIncluding": "6.2"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "0099D5A4-B157-4D36-8858-982C7D579030", "versionEndExcluding": "6.12.40", "versionStartIncluding": "6.7"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "C7AFE5B0-F3B1-4D30-B8BF-EDA0385C4746", "versionEndExcluding": "6.15.8", "versionStartIncluding": "6.13"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.16:rc1:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "6D4894DB-CCFE-4602-B1BF-3960B2E19A01"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.16:rc2:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "09709862-E348-4378-8632-5A7813EDDC86"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.16:rc3:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "415BF58A-8197-43F5-B3D7-D1D63057A26E"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.16:rc4:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "A0517869-312D-4429-80C2-561086E1421C"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.16:rc5:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "85421F4E-C863-4ABF-B4B4-E887CC2F7F92"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.16:rc6:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "3827F0D4-5FEE-4181-B267-5A45E7CA11FC"}], "operator": "OR"}]}, {"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "FA6FEEC2-9F11-4643-8827-749718254FED"}], "operator": "OR"}]}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}