CVE-2025-37786 in Linux
Summary
by MITRE • 05/01/2025
In the Linux kernel, the following vulnerability has been resolved:
net: dsa: free routing table on probe failure
If complete = true in dsa_tree_setup(), it means that we are the last switch of the tree which is successfully probing, and we should be setting up all switches from our probe path.
After "complete" becomes true, dsa_tree_setup_cpu_ports() or any subsequent function may fail. If that happens, the entire tree setup is in limbo: the first N-1 switches have successfully finished probing (doing nothing but having allocated persistent memory in the tree's dst->ports, and maybe dst->rtable), and switch N failed to probe, ending the tree setup process before anything is tangible from the user's PoV.
If switch N fails to probe, its memory (ports) will be freed and removed from dst->ports. However, the dst->rtable elements pointing to its ports, as created by dsa_link_touch(), will remain there, and will lead to use-after-free if dereferenced.
If dsa_tree_setup_switches() returns -EPROBE_DEFER, which is entirely possible because that is where ds->ops->setup() is, we get a kasan report like this:
================================================================== BUG: KASAN: slab-use-after-free in mv88e6xxx_setup_upstream_port+0x240/0x568 Read of size 8 at addr ffff000004f56020 by task kworker/u8:3/42
Call trace: __asan_report_load8_noabort+0x20/0x30 mv88e6xxx_setup_upstream_port+0x240/0x568 mv88e6xxx_setup+0xebc/0x1eb0 dsa_register_switch+0x1af4/0x2ae0 mv88e6xxx_register_switch+0x1b8/0x2a8 mv88e6xxx_probe+0xc4c/0xf60 mdio_probe+0x78/0xb8 really_probe+0x2b8/0x5a8 __driver_probe_device+0x164/0x298 driver_probe_device+0x78/0x258 __device_attach_driver+0x274/0x350
Allocated by task 42: __kasan_kmalloc+0x84/0xa0 __kmalloc_cache_noprof+0x298/0x490 dsa_switch_touch_ports+0x174/0x3d8 dsa_register_switch+0x800/0x2ae0 mv88e6xxx_register_switch+0x1b8/0x2a8 mv88e6xxx_probe+0xc4c/0xf60 mdio_probe+0x78/0xb8 really_probe+0x2b8/0x5a8 __driver_probe_device+0x164/0x298 driver_probe_device+0x78/0x258 __device_attach_driver+0x274/0x350
Freed by task 42: __kasan_slab_free+0x48/0x68 kfree+0x138/0x418 dsa_register_switch+0x2694/0x2ae0 mv88e6xxx_register_switch+0x1b8/0x2a8 mv88e6xxx_probe+0xc4c/0xf60 mdio_probe+0x78/0xb8 really_probe+0x2b8/0x5a8 __driver_probe_device+0x164/0x298 driver_probe_device+0x78/0x258 __device_attach_driver+0x274/0x350
The simplest way to fix the bug is to delete the routing table in its entirety. dsa_tree_setup_routing_table() has no problem in regenerating it even if we deleted links between ports other than those of switch N, because dsa_link_touch() first checks whether the port pair already exists in dst->rtable, allocating if not.
The deletion of the routing table in its entirety already exists in dsa_tree_teardown(), so refactor that into a function that can also be called from the tree setup error path.
In my analysis of the commit to blame, it is the one which added dsa_link elements to dst->rtable. Prior to that, each switch had its own ds->rtable which is freed when the switch fails to probe. But the tree is potentially persistent memory.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 03/16/2026
The vulnerability described in CVE-2025-37786 resides within the Linux kernel's Distributed Switch Architecture (DSA) subsystem, specifically in how the system handles routing table management during switch tree setup operations. This issue manifests when a DSA tree setup process encounters a failure during probe operations, leading to a use-after-free condition that can result in system instability or potential exploitation. The problem occurs in the context of network switch management where multiple switches are interconnected in a tree topology, each requiring proper initialization and configuration to function correctly within the network infrastructure.
The technical flaw stems from improper memory management during the DSA tree setup process when the "complete" flag is set to true, indicating the final switch in the probe sequence has been successfully identified. At this point, the system attempts to set up all switches from the probe path, but if subsequent operations like dsa_tree_setup_cpu_ports() fail, the system enters an inconsistent state where memory allocated for earlier switches remains allocated while the failing switch's memory is freed. However, the routing table entries (dst->rtable) that reference the freed memory are not properly cleaned up, creating dangling pointers that can be dereferenced later, resulting in a use-after-free condition. This memory corruption scenario is particularly dangerous because it can be triggered by the standard error path of device probe operations, where -EPROBE_DEFER errors are common during hardware initialization.
The operational impact of this vulnerability is significant for network infrastructure systems running Linux kernels with DSA support, particularly in environments where multiple network switches are managed through a single DSA framework. The use-after-free condition can lead to kernel panics, system crashes, or potentially allow privilege escalation attacks if exploited by malicious actors. The vulnerability is particularly concerning because it occurs during normal device probe operations, meaning any network switch initialization process could trigger the condition, making it a persistent threat to system stability. The KASAN report demonstrates that this issue can be triggered by specific driver operations like mv88e6xxx_setup_upstream_port, indicating that it affects specific switch chipsets that implement the DSA framework.
The fix for this vulnerability involves refactoring the existing code to ensure that when a DSA tree setup fails during probe operations, the entire routing table is properly cleaned up rather than leaving dangling references to freed memory. The solution leverages the existing dsa_tree_teardown() function's capability to delete the routing table entirely and makes this functionality available for error paths during tree setup. This approach aligns with the principle of defensive programming and proper resource management, ensuring that all memory allocated during setup operations is consistently freed regardless of whether the setup succeeds or fails. The fix addresses the root cause by preventing the creation of dangling references in the routing table structure, which is consistent with CWE-416 (Use After Free) and follows established security practices for memory management in kernel space. This vulnerability demonstrates the complexity of managing persistent memory structures in kernel drivers and the importance of maintaining consistency between data structures during error handling scenarios, which is also aligned with ATT&CK techniques related to kernel exploitation and system stability compromise.