[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"repo-stars":3,"vuln-DEBIAN-CVE-2025-39984":6},{"stargazers_count":4,"fetched_at":5},7,"2026-06-04T20:55:29.923Z",{"id":7,"descriptions":8,"cisa":9,"weaknesses":10,"exploits":11,"aliases":12,"duplicate_of":9,"upstream":13,"downstream":16,"duplicates":17,"related":18,"reserved_at":9,"published_at":19,"modified_at":20,"state":9,"summary":21,"references_raw":23,"kevs":30,"epss":9,"epss_history":31,"metrics":32,"affected":33},"DEBIAN-CVE-2025-39984","In the Linux kernel, the following vulnerability has been resolved:  net: tun: Update napi->skb after XDP process  The syzbot report a UAF issue:    BUG: KASAN: slab-use-after-free in skb_reset_mac_header include/linux/skbuff.h:3150 [inline]   BUG: KASAN: slab-use-after-free in napi_frags_skb net/core/gro.c:723 [inline]   BUG: KASAN: slab-use-after-free in napi_gro_frags+0x6e/0x1030 net/core/gro.c:758   Read of size 8 at addr ffff88802ef22c18 by task syz.0.17/6079   CPU: 0 UID: 0 PID: 6079 Comm: syz.0.17 Not tainted syzkaller #0 PREEMPT(full)   Call Trace:    \u003CTASK>    dump_stack_lvl+0x189/0x250 lib/dump_stack.c:120    print_address_description mm/kasan/report.c:378 [inline]    print_report+0xca/0x240 mm/kasan/report.c:482    kasan_report+0x118/0x150 mm/kasan/report.c:595    skb_reset_mac_header include/linux/skbuff.h:3150 [inline]    napi_frags_skb net/core/gro.c:723 [inline]    napi_gro_frags+0x6e/0x1030 net/core/gro.c:758    tun_get_user+0x28cb/0x3e20 drivers/net/tun.c:1920    tun_chr_write_iter+0x113/0x200 drivers/net/tun.c:1996    new_sync_write fs/read_write.c:593 [inline]    vfs_write+0x5c9/0xb30 fs/read_write.c:686    ksys_write+0x145/0x250 fs/read_write.c:738    do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]    do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94    entry_SYSCALL_64_after_hwframe+0x77/0x7f    \u003C/TASK>    Allocated by task 6079:    kasan_save_stack mm/kasan/common.c:47 [inline]    kasan_save_track+0x3e/0x80 mm/kasan/common.c:68    unpoison_slab_object mm/kasan/common.c:330 [inline]    __kasan_mempool_unpoison_object+0xa0/0x170 mm/kasan/common.c:558    kasan_mempool_unpoison_object include/linux/kasan.h:388 [inline]    napi_skb_cache_get+0x37b/0x6d0 net/core/skbuff.c:295    __alloc_skb+0x11e/0x2d0 net/core/skbuff.c:657    napi_alloc_skb+0x84/0x7d0 net/core/skbuff.c:811    napi_get_frags+0x69/0x140 net/core/gro.c:673    tun_napi_alloc_frags drivers/net/tun.c:1404 [inline]    tun_get_user+0x77c/0x3e20 drivers/net/tun.c:1784    tun_chr_write_iter+0x113/0x200 drivers/net/tun.c:1996    new_sync_write fs/read_write.c:593 [inline]    vfs_write+0x5c9/0xb30 fs/read_write.c:686    ksys_write+0x145/0x250 fs/read_write.c:738    do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]    do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94    entry_SYSCALL_64_after_hwframe+0x77/0x7f    Freed by task 6079:    kasan_save_stack mm/kasan/common.c:47 [inline]    kasan_save_track+0x3e/0x80 mm/kasan/common.c:68    kasan_save_free_info+0x46/0x50 mm/kasan/generic.c:576    poison_slab_object mm/kasan/common.c:243 [inline]    __kasan_slab_free+0x5b/0x80 mm/kasan/common.c:275    kasan_slab_free include/linux/kasan.h:233 [inline]    slab_free_hook mm/slub.c:2422 [inline]    slab_free mm/slub.c:4695 [inline]    kmem_cache_free+0x18f/0x400 mm/slub.c:4797    skb_pp_cow_data+0xdd8/0x13e0 net/core/skbuff.c:969    netif_skb_check_for_xdp net/core/dev.c:5390 [inline]    netif_receive_generic_xdp net/core/dev.c:5431 [inline]    do_xdp_generic+0x699/0x11a0 net/core/dev.c:5499    tun_get_user+0x2523/0x3e20 drivers/net/tun.c:1872    tun_chr_write_iter+0x113/0x200 drivers/net/tun.c:1996    new_sync_write fs/read_write.c:593 [inline]    vfs_write+0x5c9/0xb30 fs/read_write.c:686    ksys_write+0x145/0x250 fs/read_write.c:738    do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]    do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94    entry_SYSCALL_64_after_hwframe+0x77/0x7f  After commit e6d5dbdd20aa (\"xdp: add multi-buff support for xdp running in generic mode\"), the original skb may be freed in skb_pp_cow_data() when XDP program was attached, which was allocated in tun_napi_alloc_frags(). However, the napi->skb still point to the original skb, update it after XDP process.",null,[],[],[],[14],{"_key":15},"CVE-2025-39984",[],[],[],"2025-10-15T08:15:36.400Z","2026-04-28T20:30:24.719093Z",{"cisa_kev":22,"cisa_ransomware":22,"cisa_vendor":9,"epss_severity":9,"epss_score":9,"severity":9,"severity_score":9,"severity_version":9,"severity_source":9,"severity_vector":9,"severity_status":9},false,[24],{"url":25,"sources":26,"tags":28},"https://security-tracker.debian.org/tracker/CVE-2025-39984",[27],"osv_debian",[29],"Advisory",[],[],[],[34],{"ecosystem":35,"name":36,"vendor":37,"product":36,"cpe_part":9,"purl_type":38,"purl_namespace":37,"purl_name":36,"source":9,"versions":39},"Debian","linux","debian","deb",[40,46],{"version":41,"is_range":42,"range_type":43,"version_start":9,"version_start_type":9,"version_end":44,"version_end_type":45,"fixed_in":9},"lt6_12_57_1",true,"ecosystem","6.12.57-1","excluding",{"version":47,"is_range":42,"range_type":43,"version_start":9,"version_start_type":9,"version_end":48,"version_end_type":45,"fixed_in":9},"lt6_16_10_1","6.16.10-1"]