{
  "threat_severity" : "Moderate",
  "public_date" : "2025-04-16T00:00:00Z",
  "bugzilla" : {
    "description" : "kernel: RDMA/core: Fix use-after-free when rename device name",
    "id" : "2360219",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2360219"
  },
  "cvss3" : {
    "cvss3_base_score" : "6.7",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
    "status" : "verified"
  },
  "cwe" : "CWE-416",
  "details" : [ "In the Linux kernel, the following vulnerability has been resolved:\nRDMA/core: Fix use-after-free when rename device name\nSyzbot reported a slab-use-after-free with the following call trace:\n==================================================================\nBUG: KASAN: slab-use-after-free in nla_put+0xd3/0x150 lib/nlattr.c:1099\nRead of size 5 at addr ffff888140ea1c60 by task syz.0.988/10025\nCPU: 0 UID: 0 PID: 10025 Comm: syz.0.988\nNot tainted 6.14.0-rc4-syzkaller-00859-gf77f12010f67 #0\nHardware name: Google Compute Engine, BIOS Google 02/12/2025\nCall Trace:\n<TASK>\n__dump_stack lib/dump_stack.c:94 [inline]\ndump_stack_lvl+0x241/0x360 lib/dump_stack.c:120\nprint_address_description mm/kasan/report.c:408 [inline]\nprint_report+0x16e/0x5b0 mm/kasan/report.c:521\nkasan_report+0x143/0x180 mm/kasan/report.c:634\nkasan_check_range+0x282/0x290 mm/kasan/generic.c:189\n__asan_memcpy+0x29/0x70 mm/kasan/shadow.c:105\nnla_put+0xd3/0x150 lib/nlattr.c:1099\nnla_put_string include/net/netlink.h:1621 [inline]\nfill_nldev_handle+0x16e/0x200 drivers/infiniband/core/nldev.c:265\nrdma_nl_notify_event+0x561/0xef0 drivers/infiniband/core/nldev.c:2857\nib_device_notify_register+0x22/0x230 drivers/infiniband/core/device.c:1344\nib_register_device+0x1292/0x1460 drivers/infiniband/core/device.c:1460\nrxe_register_device+0x233/0x350 drivers/infiniband/sw/rxe/rxe_verbs.c:1540\nrxe_net_add+0x74/0xf0 drivers/infiniband/sw/rxe/rxe_net.c:550\nrxe_newlink+0xde/0x1a0 drivers/infiniband/sw/rxe/rxe.c:212\nnldev_newlink+0x5ea/0x680 drivers/infiniband/core/nldev.c:1795\nrdma_nl_rcv_skb drivers/infiniband/core/netlink.c:239 [inline]\nrdma_nl_rcv+0x6dd/0x9e0 drivers/infiniband/core/netlink.c:259\nnetlink_unicast_kernel net/netlink/af_netlink.c:1313 [inline]\nnetlink_unicast+0x7f6/0x990 net/netlink/af_netlink.c:1339\nnetlink_sendmsg+0x8de/0xcb0 net/netlink/af_netlink.c:1883\nsock_sendmsg_nosec net/socket.c:709 [inline]\n__sock_sendmsg+0x221/0x270 net/socket.c:724\n____sys_sendmsg+0x53a/0x860 net/socket.c:2564\n___sys_sendmsg net/socket.c:2618 [inline]\n__sys_sendmsg+0x269/0x350 net/socket.c:2650\ndo_syscall_x64 arch/x86/entry/common.c:52 [inline]\ndo_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83\nentry_SYSCALL_64_after_hwframe+0x77/0x7f\nRIP: 0033:0x7f42d1b8d169\nCode: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 ...\nRSP: 002b:00007f42d2960038 EFLAGS: 00000246 ORIG_RAX: 000000000000002e\nRAX: ffffffffffffffda RBX: 00007f42d1da6320 RCX: 00007f42d1b8d169\nRDX: 0000000000000000 RSI: 00004000000002c0 RDI: 000000000000000c\nRBP: 00007f42d1c0e2a0 R08: 0000000000000000 R09: 0000000000000000\nR10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000\nR13: 0000000000000000 R14: 00007f42d1da6320 R15: 00007ffe399344a8\n</TASK>\nAllocated by task 10025:\nkasan_save_stack mm/kasan/common.c:47 [inline]\nkasan_save_track+0x3f/0x80 mm/kasan/common.c:68\npoison_kmalloc_redzone mm/kasan/common.c:377 [inline]\n__kasan_kmalloc+0x98/0xb0 mm/kasan/common.c:394\nkasan_kmalloc include/linux/kasan.h:260 [inline]\n__do_kmalloc_node mm/slub.c:4294 [inline]\n__kmalloc_node_track_caller_noprof+0x28b/0x4c0 mm/slub.c:4313\n__kmemdup_nul mm/util.c:61 [inline]\nkstrdup+0x42/0x100 mm/util.c:81\nkobject_set_name_vargs+0x61/0x120 lib/kobject.c:274\ndev_set_name+0xd5/0x120 drivers/base/core.c:3468\nassign_name drivers/infiniband/core/device.c:1202 [inline]\nib_register_device+0x178/0x1460 drivers/infiniband/core/device.c:1384\nrxe_register_device+0x233/0x350 drivers/infiniband/sw/rxe/rxe_verbs.c:1540\nrxe_net_add+0x74/0xf0 drivers/infiniband/sw/rxe/rxe_net.c:550\nrxe_newlink+0xde/0x1a0 drivers/infiniband/sw/rxe/rxe.c:212\nnldev_newlink+0x5ea/0x680 drivers/infiniband/core/nldev.c:1795\nrdma_nl_rcv_skb drivers/infiniband/core/netlink.c:239 [inline]\nrdma_nl_rcv+0x6dd/0x9e0 drivers/infiniband/core/netlink.c:259\nnetlink_unicast_kernel net/netlink/af_netlink.c:1313 [inline]\nnetlink_unicast+0x7f6/0x990 net/netlink/af_netlink.c:1339\nnetlink_sendmsg+0x8de/0xcb0 net\n---truncated---" ],
  "statement" : "In order to trigger the use-after-free bug, one needs to rename a device, which can only be done by privileged users.",
  "affected_release" : [ {
    "product_name" : "Red Hat Enterprise Linux 10",
    "release_date" : "2025-08-04T00:00:00Z",
    "advisory" : "RHSA-2025:12662",
    "cpe" : "cpe:/o:redhat:enterprise_linux:10.0",
    "package" : "kernel-0:6.12.0-55.25.1.el10_0"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2025-07-28T00:00:00Z",
    "advisory" : "RHSA-2025:11861",
    "cpe" : "cpe:/a:redhat:enterprise_linux:9",
    "package" : "kernel-0:5.14.0-570.30.1.el9_6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2025-07-28T00:00:00Z",
    "advisory" : "RHSA-2025:11861",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9",
    "package" : "kernel-0:5.14.0-570.30.1.el9_6"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat Enterprise Linux 6",
    "fix_state" : "Out of support scope",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Out of support scope",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Out of support scope",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Not affected",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Not affected",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2025-22085\nhttps://nvd.nist.gov/vuln/detail/CVE-2025-22085\nhttps://lore.kernel.org/linux-cve-announce/2025041615-CVE-2025-22085-d167@gregkh/T" ],
  "name" : "CVE-2025-22085",
  "csaw" : false
}