{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-40297", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2025-04-16T07:20:57.185Z", "datePublished": "2025-12-08T00:46:21.112Z", "dateUpdated": "2025-12-08T00:46:21.112Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2025-12-08T00:46:21.112Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: bridge: fix use-after-free due to MST port state bypass\n\nsyzbot reported[1] a use-after-free when deleting an expired fdb. It is\ndue to a race condition between learning still happening and a port being\ndeleted, after all its fdbs have been flushed. The port's state has been\ntoggled to disabled so no learning should happen at that time, but if we\nhave MST enabled, it will bypass the port's state, that together with VLAN\nfiltering disabled can lead to fdb learning at a time when it shouldn't\nhappen while the port is being deleted. VLAN filtering must be disabled\nbecause we flush the port VLANs when it's being deleted which will stop\nlearning. This fix adds a check for the port's vlan group which is\ninitialized to NULL when the port is getting deleted, that avoids the port\nstate bypass. When MST is enabled there would be a minimal new overhead\nin the fast-path because the port's vlan group pointer is cache-hot.\n\n[1] https://syzkaller.appspot.com/bug?extid=dd280197f0f7ab3917be"}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["net/bridge/br_forward.c", "net/bridge/br_input.c", "net/bridge/br_private.h"], "versions": [{"version": "ec7328b59176227216c461601c6bd0e922232a9b", "lessThan": "e19085b2a86addccff33ab8536fc67ebd9d52198", "status": "affected", "versionType": "git"}, {"version": "ec7328b59176227216c461601c6bd0e922232a9b", "lessThan": "3b60ce334c1ce8b3fad7e02dcd5ed9f6646477c8", "status": "affected", "versionType": "git"}, {"version": "ec7328b59176227216c461601c6bd0e922232a9b", "lessThan": "bf3843183bc3158e5821b46f330c438ae9bd6ddb", "status": "affected", "versionType": "git"}, {"version": "ec7328b59176227216c461601c6bd0e922232a9b", "lessThan": "991fbe1680cd41a5f97c92cd3a3496315df36e4b", "status": "affected", "versionType": "git"}, {"version": "ec7328b59176227216c461601c6bd0e922232a9b", "lessThan": "8dca36978aa80bab9d4da130c211db75c9e00048", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["net/bridge/br_forward.c", "net/bridge/br_input.c", "net/bridge/br_private.h"], "versions": [{"version": "5.18", "status": "affected"}, {"version": "0", "lessThan": "5.18", "status": "unaffected", "versionType": "semver"}, {"version": "6.1.159", "lessThanOrEqual": "6.1.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.6.117", "lessThanOrEqual": "6.6.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.12.58", "lessThanOrEqual": "6.12.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.17.8", "lessThanOrEqual": "6.17.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.18", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.18", "versionEndExcluding": "6.1.159"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.18", "versionEndExcluding": "6.6.117"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.18", "versionEndExcluding": "6.12.58"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.18", "versionEndExcluding": "6.17.8"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.18", "versionEndExcluding": "6.18"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/e19085b2a86addccff33ab8536fc67ebd9d52198"}, {"url": "https://git.kernel.org/stable/c/3b60ce334c1ce8b3fad7e02dcd5ed9f6646477c8"}, {"url": "https://git.kernel.org/stable/c/bf3843183bc3158e5821b46f330c438ae9bd6ddb"}, {"url": "https://git.kernel.org/stable/c/991fbe1680cd41a5f97c92cd3a3496315df36e4b"}, {"url": "https://git.kernel.org/stable/c/8dca36978aa80bab9d4da130c211db75c9e00048"}], "title": "net: bridge: fix use-after-free due to MST port state bypass", "x_generator": {"engine": "bippy-1.2.0"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: bridge: fix use-after-free due to MST port state bypass\n\nsyzbot reported[1] a use-after-free when deleting an expired fdb. It is\ndue to a race condition between learning still happening and a port being\ndeleted, after all its fdbs have been flushed. The port's state has been\ntoggled to disabled so no learning should happen at that time, but if we\nhave MST enabled, it will bypass the port's state, that together with VLAN\nfiltering disabled can lead to fdb learning at a time when it shouldn't\nhappen while the port is being deleted. VLAN filtering must be disabled\nbecause we flush the port VLANs when it's being deleted which will stop\nlearning. This fix adds a check for the port's vlan group which is\ninitialized to NULL when the port is getting deleted, that avoids the port\nstate bypass. When MST is enabled there would be a minimal new overhead\nin the fast-path because the port's vlan group pointer is cache-hot.\n\n[1] https://syzkaller.appspot.com/bug?extid=dd280197f0f7ab3917be"}], "id": "CVE-2025-40297", "lastModified": "2025-12-08T01:16:01.813", "metrics": {}, "published": "2025-12-08T01:16:01.813", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/3b60ce334c1ce8b3fad7e02dcd5ed9f6646477c8"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/8dca36978aa80bab9d4da130c211db75c9e00048"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/991fbe1680cd41a5f97c92cd3a3496315df36e4b"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/bf3843183bc3158e5821b46f330c438ae9bd6ddb"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/e19085b2a86addccff33ab8536fc67ebd9d52198"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Received"}

{}

{}