CVE-2025-38032 in Linuxinfo

Summary

by MITRE • 06/18/2025

In the Linux kernel, the following vulnerability has been resolved:

mr: consolidate the ipmr_can_free_table() checks.

Guoyu Yin reported a splat in the ipmr netns cleanup path:

WARNING: CPU: 2 PID: 14564 at net/ipv4/ipmr.c:440 ipmr_free_table net/ipv4/ipmr.c:440 [inline]
WARNING: CPU: 2 PID: 14564 at net/ipv4/ipmr.c:440 ipmr_rules_exit+0x135/0x1c0 net/ipv4/ipmr.c:361 Modules linked in: CPU: 2 UID: 0 PID: 14564 Comm: syz.4.838 Not tainted 6.14.0 #1 Hardware name: QEMU Ubuntu 24.04 PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 RIP: 0010:ipmr_free_table net/ipv4/ipmr.c:440 [inline]
RIP: 0010:ipmr_rules_exit+0x135/0x1c0 net/ipv4/ipmr.c:361 Code: ff df 48 c1 ea 03 80 3c 02 00 75 7d 48 c7 83 60 05 00 00 00 00 00 00 5b 5d 41 5c 41 5d 41 5e e9 71 67 7f 00 e8 4c 2d 8a fd 90 <0f> 0b 90 eb 93 e8 41 2d 8a fd 0f b6 2d 80 54 ea 01 31 ff 89 ee e8 RSP: 0018:ffff888109547c58 EFLAGS: 00010293 RAX: 0000000000000000 RBX: ffff888108c12dc0 RCX: ffffffff83e09868 RDX: ffff8881022b3300 RSI: ffffffff83e098d4 RDI: 0000000000000005 RBP: ffff888104288000 R08: 0000000000000000 R09: ffffed10211825c9 R10: 0000000000000001 R11: ffff88801816c4a0 R12: 0000000000000001 R13: ffff888108c13320 R14: ffff888108c12dc0 R15: fffffbfff0b74058 FS: 00007f84f39316c0(0000) GS:ffff88811b100000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f84f3930f98 CR3: 0000000113b56000 CR4: 0000000000350ef0 Call Trace: <TASK> ipmr_net_exit_batch+0x50/0x90 net/ipv4/ipmr.c:3160 ops_exit_list+0x10c/0x160 net/core/net_namespace.c:177 setup_net+0x47d/0x8e0 net/core/net_namespace.c:394 copy_net_ns+0x25d/0x410 net/core/net_namespace.c:516 create_new_namespaces+0x3f6/0xaf0 kernel/nsproxy.c:110 unshare_nsproxy_namespaces+0xc3/0x180 kernel/nsproxy.c:228 ksys_unshare+0x78d/0x9a0 kernel/fork.c:3342 __do_sys_unshare kernel/fork.c:3413 [inline]
__se_sys_unshare kernel/fork.c:3411 [inline]
__x64_sys_unshare+0x31/0x40 kernel/fork.c:3411 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xa6/0x1a0 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f84f532cc29 Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007f84f3931038 EFLAGS: 00000246 ORIG_RAX: 0000000000000110 RAX: ffffffffffffffda RBX: 00007f84f5615fa0 RCX: 00007f84f532cc29 RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000040000400 RBP: 00007f84f53fba18 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 0000000000000000 R14: 00007f84f5615fa0 R15: 00007fff51c5f328 </TASK>

The running kernel has CONFIG_IP_MROUTE_MULTIPLE_TABLES disabled, and the sanity check for such build is still too loose.

Address the issue consolidating the relevant sanity check in a single helper regardless of the kernel configuration. Also share it between the ipv4 and ipv6 code.

Once again VulDB remains the best source for vulnerability data.

Analysis

by VulDB Data Team • 02/02/2026

The vulnerability described in CVE-2025-38032 resides within the Linux kernel's multicast routing implementation, specifically in the ipmr.c file responsible for managing multicast routing tables. This issue manifests as a kernel oops or splat during the cleanup of network namespaces, indicating a potential memory access violation or improper state handling during the shutdown sequence of multicast routing functionality. The problem occurs when the kernel attempts to free multicast routing tables in a network namespace context, suggesting that certain safety checks are either missing or insufficiently enforced during the cleanup process.

The technical root cause of this vulnerability lies in the inconsistent handling of multicast routing table checks within the kernel's network namespace management subsystem. According to the stack trace, the issue originates from the ipmr_rules_exit function which calls ipmr_free_table at line 440 of net/ipv4/ipmr.c. The kernel configuration option CONFIG_IP_MROUTE_MULTIPLE_TABLES being disabled indicates that the system is compiled without support for multiple multicast routing tables, yet the code path still attempts to perform operations that would only be valid in a multi-table environment. This misalignment between compile-time configuration and runtime behavior creates a condition where the kernel performs invalid memory operations when cleaning up network namespaces.

The operational impact of this vulnerability is significant as it can lead to kernel panics or system crashes during normal network namespace operations, particularly when creating or destroying network namespaces that involve multicast routing functionality. The vulnerability is particularly concerning because it can be triggered through the unshare system call, which allows processes to create new network namespaces. This means that an unprivileged user could potentially cause a denial of service by creating multiple network namespaces and triggering the cleanup path. The issue affects systems where multicast routing is compiled into the kernel but configured to run in single-table mode, making it a widespread concern across various Linux distributions and kernel versions.

The fix implemented addresses this vulnerability by consolidating the ipmr_can_free_table() checks into a single helper function that properly evaluates the kernel configuration and ensures consistent behavior regardless of whether CONFIG_IP_MROUTE_MULTIPLE_TABLES is enabled or disabled. This approach eliminates the race condition and inconsistent logic that led to the kernel oops, while also sharing the same validation logic between IPv4 and IPv6 multicast routing implementations. The fix aligns with the principle of least privilege and defensive programming practices, ensuring that kernel code properly validates its assumptions before proceeding with memory management operations. This remediation follows established security best practices and aligns with CWE-691, which addresses insufficient control flow management in kernel code, and addresses ATT&CK technique T1499.004 for resource exhaustion through kernel memory corruption.

The vulnerability demonstrates a classic case of improper conditional compilation handling in kernel space, where code paths that should be mutually exclusive based on compile-time configuration are not properly isolated. The fix ensures that all code paths that might access multicast routing tables properly check the kernel configuration before proceeding, preventing invalid memory operations that could lead to system instability. This type of vulnerability is particularly dangerous because it can be exploited to cause system crashes or potentially provide a foothold for further exploitation if combined with other vulnerabilities in the kernel's memory management subsystem. Organizations should ensure their systems are updated with the patched kernel version to prevent potential denial of service attacks that could disrupt critical network services or compromise system availability.

Responsible

Linux

Reservation

04/16/2025

Disclosure

06/18/2025

Moderation

accepted

CPE

ready

EPSS

0.00137

KEV

no

Activities

very low

Sources

Do you want to use VulDB in your project?

Use the official API to access entries easily!