{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2025-39874", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2025-04-16T07:20:57.144Z", "datePublished": "2025-09-23T06:00:46.690Z", "dateUpdated": "2025-09-23T06:00:46.690Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2025-09-23T06:00:46.690Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmacsec: sync features on RTM_NEWLINK\n\nSyzkaller managed to lock the lower device via ETHTOOL_SFEATURES:\n\n netdev_lock include/linux/netdevice.h:2761 [inline]\n netdev_lock_ops include/net/netdev_lock.h:42 [inline]\n netdev_sync_lower_features net/core/dev.c:10649 [inline]\n __netdev_update_features+0xcb1/0x1be0 net/core/dev.c:10819\n netdev_update_features+0x6d/0xe0 net/core/dev.c:10876\n macsec_notify+0x2f5/0x660 drivers/net/macsec.c:4533\n notifier_call_chain+0x1b3/0x3e0 kernel/notifier.c:85\n call_netdevice_notifiers_extack net/core/dev.c:2267 [inline]\n call_netdevice_notifiers net/core/dev.c:2281 [inline]\n netdev_features_change+0x85/0xc0 net/core/dev.c:1570\n __dev_ethtool net/ethtool/ioctl.c:3469 [inline]\n dev_ethtool+0x1536/0x19b0 net/ethtool/ioctl.c:3502\n dev_ioctl+0x392/0x1150 net/core/dev_ioctl.c:759\n\nIt happens because lower features are out of sync with the upper:\n\n __dev_ethtool (real_dev)\n netdev_lock_ops(real_dev)\n ETHTOOL_SFEATURES\n __netdev_features_change\n netdev_sync_upper_features\n disable LRO on the lower\n if (old_features != dev->features)\n netdev_features_change\n fires NETDEV_FEAT_CHANGE\n\tmacsec_notify\n\t NETDEV_FEAT_CHANGE\n\t netdev_update_features (for each macsec dev)\n\t netdev_sync_lower_features\n\t if (upper_features != lower_features)\n\t netdev_lock_ops(lower) # lower == real_dev\n\t\t stuck\n\t\t ...\n\n netdev_unlock_ops(real_dev)\n\nPer commit af5f54b0ef9e (\"net: Lock lower level devices when updating\nfeatures\"), we elide the lock/unlock when the upper and lower features\nare synced. Makes sure the lower (real_dev) has proper features after\nthe macsec link has been created. This makes sure we never hit the\nsituation where we need to sync upper flags to the lower."}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/net/macsec.c"], "versions": [{"version": "7e4d784f5810bba76c4593791028e13cce4af547", "lessThan": "d7624629ccf47135c65fef0701fa0d9a115b87f3", "status": "affected", "versionType": "git"}, {"version": "7e4d784f5810bba76c4593791028e13cce4af547", "lessThan": "0f82c3ba66c6b2e3cde0f255156a753b108ee9dc", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/net/macsec.c"], "versions": [{"version": "6.15", "status": "affected"}, {"version": "0", "lessThan": "6.15", "status": "unaffected", "versionType": "semver"}, {"version": "6.16.8", "lessThanOrEqual": "6.16.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.17-rc6", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.15", "versionEndExcluding": "6.16.8"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.15", "versionEndExcluding": "6.17-rc6"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/d7624629ccf47135c65fef0701fa0d9a115b87f3"}, {"url": "https://git.kernel.org/stable/c/0f82c3ba66c6b2e3cde0f255156a753b108ee9dc"}], "title": "macsec: sync features on RTM_NEWLINK", "x_generator": {"engine": "bippy-1.2.0"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmacsec: sync features on RTM_NEWLINK\n\nSyzkaller managed to lock the lower device via ETHTOOL_SFEATURES:\n\n netdev_lock include/linux/netdevice.h:2761 [inline]\n netdev_lock_ops include/net/netdev_lock.h:42 [inline]\n netdev_sync_lower_features net/core/dev.c:10649 [inline]\n __netdev_update_features+0xcb1/0x1be0 net/core/dev.c:10819\n netdev_update_features+0x6d/0xe0 net/core/dev.c:10876\n macsec_notify+0x2f5/0x660 drivers/net/macsec.c:4533\n notifier_call_chain+0x1b3/0x3e0 kernel/notifier.c:85\n call_netdevice_notifiers_extack net/core/dev.c:2267 [inline]\n call_netdevice_notifiers net/core/dev.c:2281 [inline]\n netdev_features_change+0x85/0xc0 net/core/dev.c:1570\n __dev_ethtool net/ethtool/ioctl.c:3469 [inline]\n dev_ethtool+0x1536/0x19b0 net/ethtool/ioctl.c:3502\n dev_ioctl+0x392/0x1150 net/core/dev_ioctl.c:759\n\nIt happens because lower features are out of sync with the upper:\n\n __dev_ethtool (real_dev)\n netdev_lock_ops(real_dev)\n ETHTOOL_SFEATURES\n __netdev_features_change\n netdev_sync_upper_features\n disable LRO on the lower\n if (old_features != dev->features)\n netdev_features_change\n fires NETDEV_FEAT_CHANGE\n\tmacsec_notify\n\t NETDEV_FEAT_CHANGE\n\t netdev_update_features (for each macsec dev)\n\t netdev_sync_lower_features\n\t if (upper_features != lower_features)\n\t netdev_lock_ops(lower) # lower == real_dev\n\t\t stuck\n\t\t ...\n\n netdev_unlock_ops(real_dev)\n\nPer commit af5f54b0ef9e (\"net: Lock lower level devices when updating\nfeatures\"), we elide the lock/unlock when the upper and lower features\nare synced. Makes sure the lower (real_dev) has proper features after\nthe macsec link has been created. This makes sure we never hit the\nsituation where we need to sync upper flags to the lower."}], "id": "CVE-2025-39874", "lastModified": "2025-09-23T06:15:46.813", "metrics": {}, "published": "2025-09-23T06:15:46.813", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/0f82c3ba66c6b2e3cde0f255156a753b108ee9dc"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/d7624629ccf47135c65fef0701fa0d9a115b87f3"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Received"}

{}

{"created": "2025-09-23T16:03:18.946112+00:00", "updated": "2025-09-23T16:03:18.946168+00:00", "vendors": ["linux", "linux$PRODUCT$linux_kernel"]}