CVE-2025-39827

EUVD-2025-29587
In the Linux kernel, the following vulnerability has been resolved:

net: rose: include node references in rose_neigh refcount

Current implementation maintains two separate reference counting
mechanisms: the 'count' field in struct rose_neigh tracks references from
rose_node structures, while the 'use' field (now refcount_t) tracks
references from rose_sock.

This patch merges these two reference counting systems using 'use' field
for proper reference management. Specifically, this patch adds incrementing
and decrementing of rose_neigh->use when rose_neigh->count is incremented
or decremented.

This patch also modifies rose_rt_free(), rose_rt_device_down() and
rose_clear_route() to properly release references to rose_neigh objects
before freeing a rose_node through rose_remove_node().

These changes ensure rose_neigh structures are properly freed only when
all references, including those from rose_node structures, are released.
As a result, this resolves a slab-use-after-free issue reported by Syzbot.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
5.5 MEDIUM
LOCAL
LOW
LOW
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Base Score
CVSS 3.x
EPSS Score
Percentile: 2%
Affected Products (NVD)
VendorProductVersion
linuxlinux_kernel
2.6.12.1 ≤
𝑥
< 6.1.150
linuxlinux_kernel
6.2 ≤
𝑥
< 6.6.104
linuxlinux_kernel
6.7 ≤
𝑥
< 6.12.45
linuxlinux_kernel
6.13 ≤
𝑥
< 6.16.5
linuxlinux_kernel
2.6.12
linuxlinux_kernel
2.6.12:rc2
linuxlinux_kernel
2.6.12:rc3
linuxlinux_kernel
2.6.12:rc4
linuxlinux_kernel
2.6.12:rc5
linuxlinux_kernel
6.17:rc1
linuxlinux_kernel
6.17:rc2
linuxlinux_kernel
6.17:rc3
debiandebian_linux
11.0
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
linux
bookworm
6.1.159-1
fixed
bookworm (security)
6.1.162-1
fixed
bullseye
vulnerable
bullseye (security)
vulnerable
forky
6.18.9-1
fixed
sid
6.18.12-1
fixed
trixie
6.12.63-1
fixed
trixie (security)
6.12.73-1
fixed
linux-6.1
bullseye (security)
6.1.162-1~deb11u1
fixed
References
https://git.kernel.org/stable/c/384210cceb1873a4c8218b27ba0745444436b728
https://git.kernel.org/stable/c/4cce478c3e82a5fc788d72adb2f4c4e983997639
https://git.kernel.org/stable/c/9c547c8eee9d1cf6e744611d688b9f725cf9a115
https://git.kernel.org/stable/c/d7563b456ed44151e1a82091d96f60166daea89b
https://git.kernel.org/stable/c/da9c9c877597170b929a6121a68dcd3dd9a80f45
https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html