CVE-2025-39827
Description
In the Linux kernel, the following vulnerability has been resolved: net: rose: include node references in rose_neigh refcount Current implementation maintains two separate reference counting mechanisms: the 'count' field in struct rose_neigh tracks references from rose_node structures, while the 'use' field (now refcount_t) tracks references from rose_sock. This patch merges these two reference counting systems using 'use' field for proper reference management. Specifically, this patch adds incrementing and decrementing of rose_neigh->use when rose_neigh->count is incremented or decremented. This patch also modifies rose_rt_free(), rose_rt_device_down() and rose_clear_route() to properly release references to rose_neigh objects before freeing a rose_node through rose_remove_node(). These changes ensure rose_neigh structures are properly freed only when all references, including those from rose_node structures, are released. As a result, this resolves a slab-use-after-free issue reported by Syzbot.
Predictions
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
No mitigations published for this CVE yet.
The vendor-content worker queues fetches as references arrive (check back in a few minutes). Or โ if you've already worked around this in production โ publish your fix to the community-verified tier.
โ Propose a mitigation on Community โ Mitigations published via the community go through AI scoring + 2 human reviewers + 7-day silent objection window before landing here withsource_tier=community-verified.
OS impact
Linux kernel Affected 3 releases
| Version | Status | Fixed in |
|---|---|---|
| 6.17 | Affected | โ |
| 2.6.12 | Affected | โ |
| โ | Affected | 6.1.150 |
SUSE Affected 1 release
| Version | Status | Fixed in |
|---|---|---|
| โ | Affected | โ |
Debian Mixed 6 releases
| Version | Status | Fixed in |
|---|---|---|
| trixie | Fixed | 6.12.48-1 |
| sid | Fixed | 6.16.5-1 |
| forky | Fixed | 6.16.5-1 |
| bullseye | Fixed | 6.1.153-1~deb11u1 |
| bookworm | Fixed | 6.1.153-1 |
| 11.0 | Affected | โ |
References
- https://git.kernel.org/stable/c/384210cceb1873a4c8218b27ba0745444436b728
- https://git.kernel.org/stable/c/4cce478c3e82a5fc788d72adb2f4c4e983997639
- https://git.kernel.org/stable/c/9c547c8eee9d1cf6e744611d688b9f725cf9a115
- https://git.kernel.org/stable/c/d7563b456ed44151e1a82091d96f60166daea89b
- https://git.kernel.org/stable/c/da9c9c877597170b929a6121a68dcd3dd9a80f45
- https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html
- https://cert-portal.siemens.com/productcert/html/ssa-032379.html
- https://www.suse.com/security/cve/CVE-2025-39827.html
- https://security-tracker.debian.org/tracker/CVE-2025-39827
Community-verified mitigations for this CVE will appear above when contributors publish them.
Verify integrity in audit chain (admin only). AS-IS.