CVE-2025-22103

Description

In the Linux kernel, the following vulnerability has been resolved: net: fix NULL pointer dereference in l3mdev_l3_rcv When delete l3s ipvlan: ip link del link eth0 ipvlan1 type ipvlan mode l3s This may cause a null pointer dereference: Call trace: ip_rcv_finish+0x48/0xd0 ip_rcv+0x5c/0x100 __netif_receive_skb_one_core+0x64/0xb0 __netif_receive_skb+0x20/0x80 process_backlog+0xb4/0x204 napi_poll+0xe8/0x294 net_rx_action+0xd8/0x22c __do_softirq+0x12c/0x354 This is because l3mdev_l3_rcv() visit dev->l3mdev_ops after ipvlan_l3s_unregister() assign the dev->l3mdev_ops to NULL. The process like this: (CPU1) | (CPU2) l3mdev_l3_rcv() | check dev->priv_flags: | master = skb->dev; | | | ipvlan_l3s_unregister() | set dev->priv_flags | dev->l3mdev_ops = NULL; | visit master->l3mdev_ops | To avoid this by do not set dev->l3mdev_ops when unregister l3s ipvlan.

CVSS Metrics

• v3.1•MEDIUM•Score: 5.5CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

EPSS Trends

Current EPSS score: 0.03%• Percentile: 7%

Techniques & Countermeasures

• CWE-476•NULL Pointer Dereference

  The product dereferences a pointer that it expects to be valid but is NULL.

Affected Systems

• linux•linux

  ≥ c675e06a98a474f7ad0af32ce467613da818da52, < 52b44d8c653459c658b733d13658afdde45f6836 | ≥ c675e06a98a474f7ad0af32ce467613da818da52, < 59599bce44af3df7a215ebc81cb166426e1c9204 | ≥ c675e06a98a474f7ad0af32ce467613da818da52, < f9dff65140efc289f01bcf39c3ca66a8806b6132 | ≥ c675e06a98a474f7ad0af32ce467613da818da52, < 0032c99e83b9ce6d5995d65900aa4b6ffb501cce | 5.1

• linux•linux_kernel

  ≥ 5.1, < 6.12.46 | ≥ 6.13, < 6.14.2

References (4)

• https://git.kernel.org/stable/c/52b44d8c653459c658b733d13658afdde45f6836
• https://git.kernel.org/stable/c/59599bce44af3df7a215ebc81cb166426e1c9204
• https://git.kernel.org/stable/c/f9dff65140efc289f01bcf39c3ca66a8806b6132
• https://git.kernel.org/stable/c/0032c99e83b9ce6d5995d65900aa4b6ffb501cce