Linux Kernel Use-After-Free Vulnerability in Rose Protocol Implementation
CVE-2025-38377

Currently unrated

Key Information:

Vendor: Linux
Status: Linux
Vendor: CVE Published:; 25 July 2025

What is CVE-2025-38377?

A use-after-free vulnerability exists within the Linux kernel's rose protocol implementation. Specifically, flaws in the 'rose_rt_device_down()' function can lead to unintentional access to freed memory regions. Two critical issues have been identified: the loop bounds are altered during execution, leading to skipped entries in the neighbour array, and the incrementing of the loop index while modifying the array shifts unchecked elements, leaving them dangling. This mishap can cause software to erroneously access freed pointer references, potentially leading to unpredictable behavior and security risks. A fix ensures iterating backward through the array with a consistent loop bound, addressing the issue comprehensively.

Affected Version(s)

Linux 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 < 94e0918e39039c47ddceb609500817f7266be756

Linux 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2

Linux 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 < 2b952dbb32fef835756f07ff0cd77efbb836dfea

References

https://git.kernel.org/stable/c/94e0918e39039c47ddceb6095...

https://git.kernel.org/stable/c/fe62a35fb1f77f494ed534fc6...

https://git.kernel.org/stable/c/2b952dbb32fef835756f07ff0...

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jul 25, 2025
Vulnerability Reserved
Apr 16, 2025