CVE-2025-22103

MEDIUM

Linux kernel - NULL Pointer Dereference

Title source: llm

Description

In the Linux kernel, the following vulnerability has been resolved: net: fix NULL pointer dereference in l3mdev_l3_rcv When delete l3s ipvlan: ip link del link eth0 ipvlan1 type ipvlan mode l3s This may cause a null pointer dereference: Call trace: ip_rcv_finish+0x48/0xd0 ip_rcv+0x5c/0x100 __netif_receive_skb_one_core+0x64/0xb0 __netif_receive_skb+0x20/0x80 process_backlog+0xb4/0x204 napi_poll+0xe8/0x294 net_rx_action+0xd8/0x22c __do_softirq+0x12c/0x354 This is because l3mdev_l3_rcv() visit dev->l3mdev_ops after ipvlan_l3s_unregister() assign the dev->l3mdev_ops to NULL. The process like this: (CPU1) | (CPU2) l3mdev_l3_rcv() | check dev->priv_flags: | master = skb->dev; | | | ipvlan_l3s_unregister() | set dev->priv_flags | dev->l3mdev_ops = NULL; | visit master->l3mdev_ops | To avoid this by do not set dev->l3mdev_ops when unregister l3s ipvlan.

References (4)

Core 4

Core References

Patch

https://git.kernel.org/stable/c/52b44d8c653459c658b733d13658afdde45f6836

Patch

https://git.kernel.org/stable/c/59599bce44af3df7a215ebc81cb166426e1c9204

Patch

https://git.kernel.org/stable/c/f9dff65140efc289f01bcf39c3ca66a8806b6132

Patch

https://git.kernel.org/stable/c/0032c99e83b9ce6d5995d65900aa4b6ffb501cce

Scores

CVSS v3 5.5

EPSS 0.0017

EPSS Percentile 6.2%

Attack Vector LOCAL

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Details

CWE

CWE-476

Status published

Products (14)

linux/Kernel 5.1.0 - 6.6.117linux

linux/Kernel 6.13.0 - 6.14.2linux

linux/Kernel 6.7.0 - 6.12.46linux

Linux/Linux < 5.1

Linux/Linux 5.1

Linux/Linux 6.12.46 - 6.12.*

Linux/Linux 6.14.2 - 6.14.*

Linux/Linux 6.15

Linux/Linux 6.6.117 - 6.6.*

Linux/Linux c675e06a98a474f7ad0af32ce467613da818da52 - 0032c99e83b9ce6d5995d65900aa4b6ffb501cce

... and 4 more

Published Apr 16, 2025

Tracked Since Feb 18, 2026