CVE-2025-38587 in Linux
Summary
by MITRE • 08/19/2025
In the Linux kernel, the following vulnerability has been resolved:
ipv6: fix possible infinite loop in fib6_info_uses_dev()
fib6_info_uses_dev() seems to rely on RCU without an explicit protection.
Like the prior fix in rt6_nlmsg_size(), we need to make sure fib6_del_route() or fib6_add_rt2node() have not removed the anchor from the list, or we risk an infinite loop.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 01/08/2026
The vulnerability identified as CVE-2025-38587 represents a critical race condition within the Linux kernel's IPv6 forwarding implementation that could lead to system instability and potential denial of service conditions. This flaw exists in the fib6_info_uses_dev() function which handles IPv6 routing table operations, specifically when managing references to network devices within the forwarding information base. The issue stems from inadequate synchronization mechanisms during concurrent access to shared data structures, creating a scenario where the kernel may become trapped in an infinite loop during routing table modifications.
The technical root cause of this vulnerability lies in the improper handling of Read-Copy-Update (RCU) synchronization primitives within the IPv6 forwarding code path. The fib6_info_uses_dev() function fails to implement explicit protection mechanisms that would prevent access to potentially modified or destroyed data structures during concurrent operations. This pattern mirrors a previously identified issue in rt6_nlmsg_size() where similar RCU handling was corrected, indicating that the kernel developers have recognized this class of vulnerability in their networking subsystem. The absence of proper locking or validation checks means that when fib6_del_route() or fib6_add_rt2node() operations are in progress, the function may attempt to traverse a list that has already been modified or removed from, leading to circular references and indefinite looping behavior.
The operational impact of this vulnerability extends beyond simple system performance degradation to potentially complete system lockup or crash conditions. When the infinite loop occurs within kernel space, it prevents the kernel from processing legitimate network traffic and system operations, effectively creating a denial of service condition that could affect network connectivity for the entire system. This vulnerability particularly impacts systems running high-traffic IPv6 workloads where frequent routing table modifications occur, such as network routers, firewalls, or any system serving as a network gateway. The condition can be triggered through normal network operations involving IPv6 address configuration changes, routing updates, or interface management activities, making it difficult to predict and prevent in production environments.
Security implications of this vulnerability align with CWE-362, which describes a race condition in concurrent programming, and can be mapped to ATT&CK technique T1499.004 for network denial of service. The vulnerability's exploitation requires only normal network operations rather than specialized attack vectors, making it particularly concerning for network infrastructure. Mitigation strategies should include immediate kernel updates from vendors, implementation of network monitoring to detect abnormal looping behaviors, and potentially temporary disabling of IPv6 routing table modifications during critical system operations. System administrators should also consider implementing intrusion detection systems that can identify the characteristic patterns of infinite loop conditions in kernel space. The fix requires careful implementation of proper RCU synchronization mechanisms and validation checks to ensure that list traversal operations do not encounter modified or destroyed data structures, similar to the approach used in the rt6_nlmsg_size() fix that serves as a reference implementation for this class of vulnerability.