CVE-2025-40074 in Linux
Summary
by MITRE • 10/28/2025
In the Linux kernel, the following vulnerability has been resolved:
ipv4: start using dst_dev_rcu()
Change icmpv4_xrlim_allow(), ip_defrag() to prevent possible UAF.
Change ipmr_prepare_xmit(), ipmr_queue_fwd_xmit(), ip_mr_output(), ipv4_neigh_lookup() to use lockdep enabled dst_dev_rcu().
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 02/15/2026
The vulnerability identified as CVE-2025-40074 represents a critical memory safety issue within the Linux kernel's IPv4 networking stack that could potentially lead to use-after-free conditions and system instability. This vulnerability specifically affects the kernel's handling of network packet processing and routing operations, where improper memory management could allow malicious actors to exploit memory corruption patterns. The issue manifests in multiple functions that process IPv4 packets and manage multicast routing, creating potential attack vectors that could compromise system integrity and availability.
The technical flaw stems from the improper use of reference counting mechanisms in the kernel's networking subsystem, particularly in functions that handle IPv4 packet forwarding and multicast routing. The vulnerability occurs when functions like icmpv4_xrlim_allow(), ip_defrag(), ipmr_prepare_xmit(), ipmr_queue_fwd_xmit(), ip_mr_output(), and ipv4_neigh_lookup() fail to properly utilize the dst_dev_rcu() function with lockdep enabled. This oversight creates scenarios where network device references may be freed while still being accessed, leading to potential use-after-free conditions that could be exploited by attackers to execute arbitrary code or cause denial of service.
The operational impact of this vulnerability extends beyond simple system crashes, as it affects the fundamental stability of network operations within the Linux kernel. When these functions encounter memory corruption scenarios, they may cause kernel panics, system hangs, or allow privilege escalation attacks that could enable malicious users to gain elevated system privileges. The vulnerability particularly affects systems running Linux kernels with active IPv4 networking and multicast routing capabilities, making it relevant to a broad range of network infrastructure and server environments.
Security mitigations for CVE-2025-40074 involve implementing the corrected dst_dev_rcu() usage with proper lockdep enablement across all affected functions. System administrators should prioritize applying kernel updates that include the patched code, which ensures that network packet processing functions properly handle reference counting and memory management. The fix specifically addresses the underlying CWE-416 use-after-free vulnerability pattern, aligning with ATT&CK technique T1059.001 for command and scripting interpreter usage and T1499.004 for network disruption. Organizations should also implement network monitoring to detect potential exploitation attempts and maintain robust patch management processes to ensure all systems receive timely security updates. The vulnerability highlights the importance of proper memory management in kernel space and demonstrates how seemingly minor reference counting issues can have significant security implications across network subsystems.