CVE-2025-37786: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: net: dsa: free routing table on probe failure If complete = true in dsa_tree_setup(), it means that we are the last switch of the tree which is successfully probing, and we should be setting up all switches from our probe path. After "complete" becomes true, dsa_tree_setup_cpu_ports() or any subsequent function may fail. If that happens, the entire tree setup is in limbo: the first N-1 switches have successfully finished probing (doing nothing but having allocated persistent memory in the tree's dst->ports, and maybe dst->rtable), and switch N failed to probe, ending the tree setup process before anything is tangible from the user's PoV. If switch N fails to probe, its memory (ports) will be freed and removed from dst->ports. However, the dst->rtable elements pointing to its ports, as created by dsa_link_touch(), will remain there, and will lead to use-after-free if dereferenced. If dsa_tree_setup_switches() returns -EPROBE_DEFER, which is entirely possible because that is where ds->ops->setup() is, we get a kasan report like this: ================================================================== BUG: KASAN: slab-use-after-free in mv88e6xxx_setup_upstream_port+0x240/0x568 Read of size 8 at addr ffff000004f56020 by task kworker/u8:3/42 Call trace: __asan_report_load8_noabort+0x20/0x30 mv88e6xxx_setup_upstream_port+0x240/0x568 mv88e6xxx_setup+0xebc/0x1eb0 dsa_register_switch+0x1af4/0x2ae0 mv88e6xxx_register_switch+0x1b8/0x2a8 mv88e6xxx_probe+0xc4c/0xf60 mdio_probe+0x78/0xb8 really_probe+0x2b8/0x5a8 __driver_probe_device+0x164/0x298 driver_probe_device+0x78/0x258 __device_attach_driver+0x274/0x350 Allocated by task 42: __kasan_kmalloc+0x84/0xa0 __kmalloc_cache_noprof+0x298/0x490 dsa_switch_touch_ports+0x174/0x3d8 dsa_register_switch+0x800/0x2ae0 mv88e6xxx_register_switch+0x1b8/0x2a8 mv88e6xxx_probe+0xc4c/0xf60 mdio_probe+0x78/0xb8 really_probe+0x2b8/0x5a8 __driver_probe_device+0x164/0x298 driver_probe_device+0x78/0x258 __device_attach_driver+0x274/0x350 Freed by task 42: __kasan_slab_free+0x48/0x68 kfree+0x138/0x418 dsa_register_switch+0x2694/0x2ae0 mv88e6xxx_register_switch+0x1b8/0x2a8 mv88e6xxx_probe+0xc4c/0xf60 mdio_probe+0x78/0xb8 really_probe+0x2b8/0x5a8 __driver_probe_device+0x164/0x298 driver_probe_device+0x78/0x258 __device_attach_driver+0x274/0x350 The simplest way to fix the bug is to delete the routing table in its entirety. dsa_tree_setup_routing_table() has no problem in regenerating it even if we deleted links between ports other than those of switch N, because dsa_link_touch() first checks whether the port pair already exists in dst->rtable, allocating if not. The deletion of the routing table in its entirety already exists in dsa_tree_teardown(), so refactor that into a function that can also be called from the tree setup error path. In my analysis of the commit to blame, it is the one which added dsa_link elements to dst->rtable. Prior to that, each switch had its own ds->rtable which is freed when the switch fails to probe. But the tree is potentially persistent memory.
AI Analysis
Technical Summary
CVE-2025-37786 is a use-after-free vulnerability in the Linux kernel's Distributed Switch Architecture (DSA) subsystem, specifically related to the handling of routing tables during the probing and setup of switch trees. The vulnerability arises when the last switch in a DSA tree (switch N) fails to probe successfully after the 'complete' flag is set to true in the dsa_tree_setup() function. At this point, the first N-1 switches have allocated persistent memory for ports and possibly routing tables, but the failure of switch N causes its allocated memory to be freed and removed from the ports list. However, the routing table entries (dst->rtable) that reference the freed ports remain intact, leading to a use-after-free condition if these stale pointers are dereferenced. This flaw is triggered when dsa_tree_setup_switches() returns -EPROBE_DEFER, which can happen during the ds->ops->setup() call, as demonstrated by kernel address sanitizer (KASAN) reports showing slab-use-after-free errors in the mv88e6xxx driver functions. The root cause is that the routing table is not fully cleared upon probe failure, leaving dangling references. The proposed fix involves refactoring the code to delete the entire routing table upon probe failure, ensuring no stale references remain. This approach leverages existing teardown logic that safely deletes routing tables, allowing the system to regenerate routing information cleanly. The vulnerability affects Linux kernel versions containing the specified commit (c5f51765a1f60b701840544faf3ca63204b8dc3c) and impacts systems using the DSA framework with affected switch drivers such as mv88e6xxx. Exploitation requires kernel-level interaction during device probing, typically during system boot or device initialization phases. No known exploits are currently reported in the wild.
Potential Impact
For European organizations, this vulnerability poses a risk primarily to infrastructure relying on Linux-based systems with DSA-enabled network switches, such as embedded devices, industrial control systems, or network appliances using mv88e6xxx or similar switch drivers. The use-after-free condition can lead to kernel crashes (denial of service) or potentially enable escalation of privileges or arbitrary code execution within the kernel context if exploited by a local attacker with the ability to trigger device probing. This could disrupt critical network operations, affecting availability and integrity of network communications. Organizations operating data centers, telecommunications infrastructure, or industrial networks with Linux-based network devices are particularly at risk. Given the complexity and requirement for local kernel-level access to trigger the flaw, remote exploitation is unlikely without prior compromise. However, the impact on system stability and potential for privilege escalation warrants prompt attention. The vulnerability could also affect Linux distributions widely used in Europe, impacting a broad range of sectors including finance, manufacturing, and public services that depend on stable and secure network infrastructure.
Mitigation Recommendations
European organizations should ensure that all Linux systems, especially those running network devices with DSA support and mv88e6xxx or related switch drivers, are updated promptly with the patched kernel versions that include the fix for CVE-2025-37786. System administrators should: 1) Monitor vendor and distribution security advisories for kernel updates addressing this vulnerability. 2) Apply kernel patches or upgrade to fixed kernel versions as soon as they become available. 3) Audit systems to identify devices using the affected DSA drivers and prioritize patching those devices. 4) Implement strict access controls to limit local user privileges, reducing the risk of local exploitation. 5) Employ kernel hardening techniques such as Kernel Address Space Layout Randomization (KASLR) and Kernel Page Table Isolation (KPTI) to mitigate exploitation impact. 6) Use kernel runtime security tools (e.g., KASAN, KSPP) in testing environments to detect similar memory corruption issues proactively. 7) For critical infrastructure, consider network segmentation and isolation to limit exposure of vulnerable devices. These steps go beyond generic advice by focusing on the specific affected components and operational contexts relevant to this vulnerability.
Affected Countries
Germany, France, United Kingdom, Netherlands, Italy, Spain, Sweden, Finland
CVE-2025-37786: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: net: dsa: free routing table on probe failure If complete = true in dsa_tree_setup(), it means that we are the last switch of the tree which is successfully probing, and we should be setting up all switches from our probe path. After "complete" becomes true, dsa_tree_setup_cpu_ports() or any subsequent function may fail. If that happens, the entire tree setup is in limbo: the first N-1 switches have successfully finished probing (doing nothing but having allocated persistent memory in the tree's dst->ports, and maybe dst->rtable), and switch N failed to probe, ending the tree setup process before anything is tangible from the user's PoV. If switch N fails to probe, its memory (ports) will be freed and removed from dst->ports. However, the dst->rtable elements pointing to its ports, as created by dsa_link_touch(), will remain there, and will lead to use-after-free if dereferenced. If dsa_tree_setup_switches() returns -EPROBE_DEFER, which is entirely possible because that is where ds->ops->setup() is, we get a kasan report like this: ================================================================== BUG: KASAN: slab-use-after-free in mv88e6xxx_setup_upstream_port+0x240/0x568 Read of size 8 at addr ffff000004f56020 by task kworker/u8:3/42 Call trace: __asan_report_load8_noabort+0x20/0x30 mv88e6xxx_setup_upstream_port+0x240/0x568 mv88e6xxx_setup+0xebc/0x1eb0 dsa_register_switch+0x1af4/0x2ae0 mv88e6xxx_register_switch+0x1b8/0x2a8 mv88e6xxx_probe+0xc4c/0xf60 mdio_probe+0x78/0xb8 really_probe+0x2b8/0x5a8 __driver_probe_device+0x164/0x298 driver_probe_device+0x78/0x258 __device_attach_driver+0x274/0x350 Allocated by task 42: __kasan_kmalloc+0x84/0xa0 __kmalloc_cache_noprof+0x298/0x490 dsa_switch_touch_ports+0x174/0x3d8 dsa_register_switch+0x800/0x2ae0 mv88e6xxx_register_switch+0x1b8/0x2a8 mv88e6xxx_probe+0xc4c/0xf60 mdio_probe+0x78/0xb8 really_probe+0x2b8/0x5a8 __driver_probe_device+0x164/0x298 driver_probe_device+0x78/0x258 __device_attach_driver+0x274/0x350 Freed by task 42: __kasan_slab_free+0x48/0x68 kfree+0x138/0x418 dsa_register_switch+0x2694/0x2ae0 mv88e6xxx_register_switch+0x1b8/0x2a8 mv88e6xxx_probe+0xc4c/0xf60 mdio_probe+0x78/0xb8 really_probe+0x2b8/0x5a8 __driver_probe_device+0x164/0x298 driver_probe_device+0x78/0x258 __device_attach_driver+0x274/0x350 The simplest way to fix the bug is to delete the routing table in its entirety. dsa_tree_setup_routing_table() has no problem in regenerating it even if we deleted links between ports other than those of switch N, because dsa_link_touch() first checks whether the port pair already exists in dst->rtable, allocating if not. The deletion of the routing table in its entirety already exists in dsa_tree_teardown(), so refactor that into a function that can also be called from the tree setup error path. In my analysis of the commit to blame, it is the one which added dsa_link elements to dst->rtable. Prior to that, each switch had its own ds->rtable which is freed when the switch fails to probe. But the tree is potentially persistent memory.
AI-Powered Analysis
Technical Analysis
CVE-2025-37786 is a use-after-free vulnerability in the Linux kernel's Distributed Switch Architecture (DSA) subsystem, specifically related to the handling of routing tables during the probing and setup of switch trees. The vulnerability arises when the last switch in a DSA tree (switch N) fails to probe successfully after the 'complete' flag is set to true in the dsa_tree_setup() function. At this point, the first N-1 switches have allocated persistent memory for ports and possibly routing tables, but the failure of switch N causes its allocated memory to be freed and removed from the ports list. However, the routing table entries (dst->rtable) that reference the freed ports remain intact, leading to a use-after-free condition if these stale pointers are dereferenced. This flaw is triggered when dsa_tree_setup_switches() returns -EPROBE_DEFER, which can happen during the ds->ops->setup() call, as demonstrated by kernel address sanitizer (KASAN) reports showing slab-use-after-free errors in the mv88e6xxx driver functions. The root cause is that the routing table is not fully cleared upon probe failure, leaving dangling references. The proposed fix involves refactoring the code to delete the entire routing table upon probe failure, ensuring no stale references remain. This approach leverages existing teardown logic that safely deletes routing tables, allowing the system to regenerate routing information cleanly. The vulnerability affects Linux kernel versions containing the specified commit (c5f51765a1f60b701840544faf3ca63204b8dc3c) and impacts systems using the DSA framework with affected switch drivers such as mv88e6xxx. Exploitation requires kernel-level interaction during device probing, typically during system boot or device initialization phases. No known exploits are currently reported in the wild.
Potential Impact
For European organizations, this vulnerability poses a risk primarily to infrastructure relying on Linux-based systems with DSA-enabled network switches, such as embedded devices, industrial control systems, or network appliances using mv88e6xxx or similar switch drivers. The use-after-free condition can lead to kernel crashes (denial of service) or potentially enable escalation of privileges or arbitrary code execution within the kernel context if exploited by a local attacker with the ability to trigger device probing. This could disrupt critical network operations, affecting availability and integrity of network communications. Organizations operating data centers, telecommunications infrastructure, or industrial networks with Linux-based network devices are particularly at risk. Given the complexity and requirement for local kernel-level access to trigger the flaw, remote exploitation is unlikely without prior compromise. However, the impact on system stability and potential for privilege escalation warrants prompt attention. The vulnerability could also affect Linux distributions widely used in Europe, impacting a broad range of sectors including finance, manufacturing, and public services that depend on stable and secure network infrastructure.
Mitigation Recommendations
European organizations should ensure that all Linux systems, especially those running network devices with DSA support and mv88e6xxx or related switch drivers, are updated promptly with the patched kernel versions that include the fix for CVE-2025-37786. System administrators should: 1) Monitor vendor and distribution security advisories for kernel updates addressing this vulnerability. 2) Apply kernel patches or upgrade to fixed kernel versions as soon as they become available. 3) Audit systems to identify devices using the affected DSA drivers and prioritize patching those devices. 4) Implement strict access controls to limit local user privileges, reducing the risk of local exploitation. 5) Employ kernel hardening techniques such as Kernel Address Space Layout Randomization (KASLR) and Kernel Page Table Isolation (KPTI) to mitigate exploitation impact. 6) Use kernel runtime security tools (e.g., KASAN, KSPP) in testing environments to detect similar memory corruption issues proactively. 7) For critical infrastructure, consider network segmentation and isolation to limit exposure of vulnerable devices. These steps go beyond generic advice by focusing on the specific affected components and operational contexts relevant to this vulnerability.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2025-04-16T04:51:23.940Z
- Cisa Enriched
- false
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d9832c4522896dcbe840c
Added to database: 5/21/2025, 9:09:06 AM
Last enriched: 7/3/2025, 11:24:30 PM
Last updated: 8/14/2025, 7:16:31 AM
Views: 15
Related Threats
CVE-2025-43201: An app may be able to unexpectedly leak a user's credentials in Apple Apple Music Classical for Android
UnknownCVE-2025-8959: CWE-59: Improper Link Resolution Before File Access (Link Following) in HashiCorp Shared library
HighCVE-2025-44201
LowCVE-2025-36088: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') in IBM Storage TS4500 Library
MediumCVE-2025-43490: CWE-59 Improper Link Resolution Before File Access ('Link Following') in HP, Inc. HP Hotkey Support Software
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.