{"id":"AZL-66246","summary":"CVE-2025-38500 affecting package kernel for versions less than 6.6.104.2-1","details":"In the Linux kernel, the following vulnerability has been resolved:\n\nxfrm: interface: fix use-after-free after changing collect_md xfrm interface\n\ncollect_md property on xfrm interfaces can only be set on device creation,\nthus xfrmi_changelink() should fail when called on such interfaces.\n\nThe check to enforce this was done only in the case where the xi was\nreturned from xfrmi_locate() which doesn't look for the collect_md\ninterface, and thus the validation was never reached.\n\nCalling changelink would thus errornously place the special interface xi\nin the xfrmi_net-\u003exfrmi hash, but since it also exists in the\nxfrmi_net-\u003ecollect_md_xfrmi pointer it would lead to a double free when\nthe net namespace was taken down [1].\n\nChange the check to use the xi from netdev_priv which is available earlier\nin the function to prevent changes in xfrm collect_md interfaces.\n\n[1] resulting oops:\n[    8.516540] kernel BUG at net/core/dev.c:12029!\n[    8.516552] Oops: invalid opcode: 0000 [#1] SMP NOPTI\n[    8.516559] CPU: 0 UID: 0 PID: 12 Comm: kworker/u80:0 Not tainted 6.15.0-virtme #5 PREEMPT(voluntary)\n[    8.516565] Hardware name: QEMU Ubuntu 24.04 PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014\n[    8.516569] Workqueue: netns cleanup_net\n[    8.516579] RIP: 0010:unregister_netdevice_many_notify+0x101/0xab0\n[    8.516590] Code: 90 0f 0b 90 48 8b b0 78 01 00 00 48 8b 90 80 01 00 00 48 89 56 08 48 89 32 4c 89 80 78 01 00 00 48 89 b8 80 01 00 00 eb ac 90 \u003c0f\u003e 0b 48 8b 45 00 4c 8d a0 88 fe ff ff 48 39 c5 74 5c 41 80 bc 24\n[    8.516593] RSP: 0018:ffffa93b8006bd30 EFLAGS: 00010206\n[    8.516598] RAX: ffff98fe4226e000 RBX: ffffa93b8006bd58 RCX: ffffa93b8006bc60\n[    8.516601] RDX: 0000000000000004 RSI: 0000000000000000 RDI: dead000000000122\n[    8.516603] RBP: ffffa93b8006bdd8 R08: dead000000000100 R09: ffff98fe4133c100\n[    8.516605] R10: 0000000000000000 R11: 00000000000003d2 R12: ffffa93b8006be00\n[    8.516608] R13: ffffffff96c1a510 R14: ffffffff96c1a510 R15: ffffa93b8006be00\n[    8.516615] FS:  0000000000000000(0000) GS:ffff98fee73b7000(0000) knlGS:0000000000000000\n[    8.516619] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[    8.516622] CR2: 00007fcd2abd0700 CR3: 000000003aa40000 CR4: 0000000000752ef0\n[    8.516625] PKRU: 55555554\n[    8.516627] Call Trace:\n[    8.516632]  \u003cTASK\u003e\n[    8.516635]  ? rtnl_is_locked+0x15/0x20\n[    8.516641]  ? unregister_netdevice_queue+0x29/0xf0\n[    8.516650]  ops_undo_list+0x1f2/0x220\n[    8.516659]  cleanup_net+0x1ad/0x2e0\n[    8.516664]  process_one_work+0x160/0x380\n[    8.516673]  worker_thread+0x2aa/0x3c0\n[    8.516679]  ? __pfx_worker_thread+0x10/0x10\n[    8.516686]  kthread+0xfb/0x200\n[    8.516690]  ? __pfx_kthread+0x10/0x10\n[    8.516693]  ? __pfx_kthread+0x10/0x10\n[    8.516697]  ret_from_fork+0x82/0xf0\n[    8.516705]  ? __pfx_kthread+0x10/0x10\n[    8.516709]  ret_from_fork_asm+0x1a/0x30\n[    8.516718]  \u003c/TASK\u003e","modified":"2026-04-01T05:20:55.612998Z","published":"2025-08-12T16:15:27Z","upstream":["CVE-2025-38500"],"references":[{"type":"WEB","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-38500"}],"affected":[{"package":{"name":"kernel","ecosystem":"Azure Linux:3","purl":"pkg:rpm/azure-linux/kernel"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"6.6.104.2-1"}]}],"database_specific":{"source":"https://github.com/microsoft/AzureLinuxVulnerabilityData/blob/main/osv/AZL-66246.json"}}],"schema_version":"1.7.5"}