Use-After-Free Vulnerability in Linux Kernel's Ipvlan Component
CVE-2025-21652

7.8HIGH

Key Information:

Vendor: Linux
Status: Linux
Vendor: CVE Published:; 19 January 2025

Summary

A vulnerability exists in the Linux kernel's ipvlan component due to a use-after-free issue in the ipvlan_get_iflink() function. This arises when the lower device linked to the ipvlan interface is freed before its reference is properly managed. If the linkwatch triggering event occurs while the lower device is already freed, this may result in undefined behavior or crashes. The vulnerability has been addressed by ensuring that the lower device's reference count is maintained during initialization and destructed appropriately, preventing premature unregistration and enhancing overall stability in network device handling.

Affected Version(s)

Linux 8c55facecd7ade835287298ce325f930d888d8ec

Linux 8c55facecd7ade835287298ce325f930d888d8ec < 52a24538d569f48e79d1a169a5d359d384152950

Linux 8c55facecd7ade835287298ce325f930d888d8ec

References

https://git.kernel.org/stable/c/ba9f7c16ec879c83bb4f80406...

https://git.kernel.org/stable/c/52a24538d569f48e79d1a169a...

https://git.kernel.org/stable/c/cb358ff94154774d031159b01...

CVSS V3.1

Score:

7.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Local

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Jan 19, 2025
Vulnerability Reserved
Dec 29, 2024