CVE-2025-39826
HIGHLinux Kernel Use-After-Free in ROSE Neighbour Reference Counting
Title source: llmDescription
In the Linux kernel, the following vulnerability has been resolved: net: rose: convert 'use' field to refcount_t The 'use' field in struct rose_neigh is used as a reference counter but lacks atomicity. This can lead to race conditions where a rose_neigh structure is freed while still being referenced by other code paths. For example, when rose_neigh->use becomes zero during an ioctl operation via rose_rt_ioctl(), the structure may be removed while its timer is still active, potentially causing use-after-free issues. This patch changes the type of 'use' from unsigned short to refcount_t and updates all code paths to use rose_neigh_hold() and rose_neigh_put() which operate reference counts atomically.
References (7)
Core 7
Core References
Third Party Advisory, Mailing List
https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html
Vendor Advisory
https://cert-portal.siemens.com/productcert/html/ssa-032379.html
Scores
CVSS v3
7.0
EPSS
0.0001
EPSS Percentile
3.4%
Attack Vector
LOCAL
CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
Details
CWE
CWE-416
Status
published
Products (20)
debian/debian_linux
11.0
linux/Kernel
2.6.12 - 6.1.150linux
linux/Kernel
6.13.0 - 6.16.5linux
linux/Kernel
6.2.0 - 6.6.104linux
linux/Kernel
6.7.0 - 6.12.45linux
Linux/Linux
< 2.6.12
Linux/Linux
1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 - 0085b250fcc79f900c82a69980ec2f3e1871823b
Linux/Linux
1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 - 203e4f42596ede31498744018716a3db6dbb7f51
Linux/Linux
1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 - d860d1faa6b2ce3becfdb8b0c2b048ad31800061
Linux/Linux
1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 - f8c29fc437d03a98fb075c31c5be761cc8326284
... and 10 more
Published
Sep 16, 2025
Tracked Since
Feb 18, 2026