tipc: Fix use-after-free in tipc_mon_reinit_self().
Summary
| CVE | CVE-2025-40280 |
|---|---|
| State | PUBLISHED |
| Assigner | Linux |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2025-12-06 22:15:55 UTC |
| Updated | 2026-06-02 14:16:33 UTC |
| Description | In the Linux kernel, the following vulnerability has been resolved: tipc: Fix use-after-free in tipc_mon_reinit_self(). syzbot reported use-after-free of tipc_net(net)->monitors[] in tipc_mon_reinit_self(). [0] The array is protected by RTNL, but tipc_mon_reinit_self() iterates over it without RTNL. tipc_mon_reinit_self() is called from tipc_net_finalize(), which is always under RTNL except for tipc_net_finalize_work(). Let's hold RTNL in tipc_net_finalize_work(). [0]: BUG: KASAN: slab-use-after-free in __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline] BUG: KASAN: slab-use-after-free in _raw_spin_lock_irqsave+0xa7/0xf0 kernel/locking/spinlock.c:162 Read of size 1 at addr ffff88805eae1030 by task kworker/0:7/5989 CPU: 0 UID: 0 PID: 5989 Comm: kworker/0:7 Not tainted syzkaller #0 PREEMPT_{RT,(full)} Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/18/2025 Workqueue: events tipc_net_finalize_work Call Trace: <TASK> dump_stack_lvl+0x189/0x250 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:378 [inline] print_report+0xca/0x240 mm/kasan/report.c:482 kasan_report+0x118/0x150 mm/kasan/report.c:595 __kasan_check_byte+0x2a/0x40 mm/kasan/common.c:568 kasan_check_byte include/linux/kasan.h:399 [inline] lock_acquire+0x8d/0x360 kernel/locking/lockdep.c:5842 __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline] _raw_spin_lock_irqsave+0xa7/0xf0 kernel/locking/spinlock.c:162 rtlock_slowlock kernel/locking/rtmutex.c:1894 [inline] rwbase_rtmutex_lock_state kernel/locking/spinlock_rt.c:160 [inline] rwbase_write_lock+0xd3/0x7e0 kernel/locking/rwbase_rt.c:244 rt_write_lock+0x76/0x110 kernel/locking/spinlock_rt.c:243 write_lock_bh include/linux/rwlock_rt.h:99 [inline] tipc_mon_reinit_self+0x79/0x430 net/tipc/monitor.c:718 tipc_net_finalize+0x115/0x190 net/tipc/net.c:140 process_one_work kernel/workqueue.c:3236 [inline] process_scheduled_works+0xade/0x17b0 kernel/workqueue.c:3319 worker_thread+0x8a0/0xda0 kernel/workqueue.c:3400 kthread+0x70e/0x8a0 kernel/kthread.c:463 ret_from_fork+0x439/0x7d0 arch/x86/kernel/process.c:148 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245 </TASK> Allocated by task 6089: kasan_save_stack mm/kasan/common.c:47 [inline] kasan_save_track+0x3e/0x80 mm/kasan/common.c:68 poison_kmalloc_redzone mm/kasan/common.c:388 [inline] __kasan_kmalloc+0x93/0xb0 mm/kasan/common.c:405 kasan_kmalloc include/linux/kasan.h:260 [inline] __kmalloc_cache_noprof+0x1a8/0x320 mm/slub.c:4407 kmalloc_noprof include/linux/slab.h:905 [inline] kzalloc_noprof include/linux/slab.h:1039 [inline] tipc_mon_create+0xc3/0x4d0 net/tipc/monitor.c:657 tipc_enable_bearer net/tipc/bearer.c:357 [inline] __tipc_nl_bearer_enable+0xe16/0x13f0 net/tipc/bearer.c:1047 __tipc_nl_compat_doit net/tipc/netlink_compat.c:371 [inline] tipc_nl_compat_doit+0x3bc/0x5f0 net/tipc/netlink_compat.c:393 tipc_nl_compat_handle net/tipc/netlink_compat.c:-1 [inline] tipc_nl_compat_recv+0x83c/0xbe0 net/tipc/netlink_compat.c:1321 genl_family_rcv_msg_doit+0x215/0x300 net/netlink/genetlink.c:1115 genl_family_rcv_msg net/netlink/genetlink.c:1195 [inline] genl_rcv_msg+0x60e/0x790 net/netlink/genetlink.c:1210 netlink_rcv_skb+0x208/0x470 net/netlink/af_netlink.c:2552 genl_rcv+0x28/0x40 net/netlink/genetlink.c:1219 netlink_unicast_kernel net/netlink/af_netlink.c:1320 [inline] netlink_unicast+0x846/0xa10 net/netlink/af_netlink.c:1346 netlink_sendmsg+0x805/0xb30 net/netlink/af_netlink.c:1896 sock_sendmsg_nosec net/socket.c:714 [inline] __sock_sendmsg+0x21c/0x270 net/socket.c:729 ____sys_sendmsg+0x508/0x820 net/socket.c:2614 ___sys_sendmsg+0x21f/0x2a0 net/socket.c:2668 __sys_sendmsg net/socket.c:2700 [inline] __do_sys_sendmsg net/socket.c:2705 [inline] __se_sys_sendmsg net/socket.c:2703 [inline] __x64_sys_sendmsg+0x1a1/0x260 net/socket.c:2703 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xfa/0x3b0 arch/ ---truncated--- |
Risk And Classification
EPSS: 0.000760000 probability, percentile 0.228820000 (date 2026-06-02)
Vendor Declared Affected Products
| Source | Vendor | Product | Version | Platforms |
|---|---|---|---|---|
| CNA | Linux | Linux | affected 28845c28f842e9e55e75b2c116bff714bb039055 5f541300b02ef8b2af34f6f7d41ce617f3571e88 git | Not specified |
| CNA | Linux | Linux | affected 46cb01eeeb86fca6afe24dda1167b0cb95424e29 b2e77c789c234e7fe49057d2ced8f32e2d2c7901 git | Not specified |
| CNA | Linux | Linux | affected 46cb01eeeb86fca6afe24dda1167b0cb95424e29 51b8f0ab888f8aa5dfac954918864eeda8c12c19 git | Not specified |
| CNA | Linux | Linux | affected 46cb01eeeb86fca6afe24dda1167b0cb95424e29 499b5fa78d525c4450ebb76db83207db71efea77 git | Not specified |
| CNA | Linux | Linux | affected 46cb01eeeb86fca6afe24dda1167b0cb95424e29 c92dbf85627b5c29e52d9c120a24e785801716df git | Not specified |
| CNA | Linux | Linux | affected 46cb01eeeb86fca6afe24dda1167b0cb95424e29 f0104977fed25ebe001fd63dab2b6b7fefad3373 git | Not specified |
| CNA | Linux | Linux | affected 46cb01eeeb86fca6afe24dda1167b0cb95424e29 fdf7c4c9af4f246323ce854e84b6aec198d49f7e git | Not specified |
| CNA | Linux | Linux | affected 46cb01eeeb86fca6afe24dda1167b0cb95424e29 0725e6afb55128be21a2ca36e9674f573ccec173 git | Not specified |
| CNA | Linux | Linux | affected 295c9b554f6dfcd2d368fae6e6fa22ee5b79c123 git | Not specified |
| CNA | Linux | Linux | affected 5.4.15 5.4.302 semver | Not specified |
| CNA | Linux | Linux | affected 4.19.99 4.20 semver | Not specified |
| CNA | Linux | Linux | affected 5.5 | Not specified |
| CNA | Linux | Linux | unaffected 5.5 semver | Not specified |
| CNA | Linux | Linux | unaffected 5.4.302 5.4.* semver | Not specified |
| CNA | Linux | Linux | unaffected 5.10.247 5.10.* semver | Not specified |
| CNA | Linux | Linux | unaffected 5.15.197 5.15.* semver | Not specified |
| CNA | Linux | Linux | unaffected 6.1.159 6.1.* semver | Not specified |
| CNA | Linux | Linux | unaffected 6.6.117 6.6.* semver | Not specified |
| CNA | Linux | Linux | unaffected 6.12.59 6.12.* semver | Not specified |
| CNA | Linux | Linux | unaffected 6.17.9 6.17.* semver | Not specified |
| CNA | Linux | Linux | unaffected 6.18 * original_commit_for_fix | Not specified |
| ADP | Siemens | RUGGEDCOM RST2428P | affected V4.0 custom | Not specified |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| git.kernel.org/stable/c/c92dbf85627b5c29e52d9c120a24e785801716df | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | git.kernel.org | |
| git.kernel.org/stable/c/f0104977fed25ebe001fd63dab2b6b7fefad3373 | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | git.kernel.org | |
| git.kernel.org/stable/c/fdf7c4c9af4f246323ce854e84b6aec198d49f7e | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | git.kernel.org | |
| git.kernel.org/stable/c/499b5fa78d525c4450ebb76db83207db71efea77 | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | git.kernel.org | |
| git.kernel.org/stable/c/5f541300b02ef8b2af34f6f7d41ce617f3571e88 | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | git.kernel.org | |
| git.kernel.org/stable/c/51b8f0ab888f8aa5dfac954918864eeda8c12c19 | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | git.kernel.org | |
| cert-portal.siemens.com/productcert/html/ssa-253495.html | 0b142b55-0307-4c5a-b3c9-f314f3fb7c5e | cert-portal.siemens.com | |
| git.kernel.org/stable/c/0725e6afb55128be21a2ca36e9674f573ccec173 | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | git.kernel.org | |
| git.kernel.org/stable/c/b2e77c789c234e7fe49057d2ced8f32e2d2c7901 | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | git.kernel.org | |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
No vendor comments have been submitted for this CVE.
There are currently no legacy QID mappings associated with this CVE.