{
  "threat_severity" : "Moderate",
  "public_date" : "2025-10-15T00:00:00Z",
  "bugzilla" : {
    "description" : "kernel: net: tun: Update napi->skb after XDP process",
    "id" : "2404111",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2404111"
  },
  "cvss3" : {
    "cvss3_base_score" : "7.3",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:H",
    "status" : "verified"
  },
  "cwe" : "CWE-825",
  "details" : [ "In the Linux kernel, the following vulnerability has been resolved:\nnet: tun: Update napi->skb after XDP process\nThe syzbot report a UAF issue:\nBUG: KASAN: slab-use-after-free in skb_reset_mac_header include/linux/skbuff.h:3150 [inline]\nBUG: KASAN: slab-use-after-free in napi_frags_skb net/core/gro.c:723 [inline]\nBUG: KASAN: slab-use-after-free in napi_gro_frags+0x6e/0x1030 net/core/gro.c:758\nRead of size 8 at addr ffff88802ef22c18 by task syz.0.17/6079\nCPU: 0 UID: 0 PID: 6079 Comm: syz.0.17 Not tainted syzkaller #0 PREEMPT(full)\nCall Trace:\n<TASK>\ndump_stack_lvl+0x189/0x250 lib/dump_stack.c:120\nprint_address_description mm/kasan/report.c:378 [inline]\nprint_report+0xca/0x240 mm/kasan/report.c:482\nkasan_report+0x118/0x150 mm/kasan/report.c:595\nskb_reset_mac_header include/linux/skbuff.h:3150 [inline]\nnapi_frags_skb net/core/gro.c:723 [inline]\nnapi_gro_frags+0x6e/0x1030 net/core/gro.c:758\ntun_get_user+0x28cb/0x3e20 drivers/net/tun.c:1920\ntun_chr_write_iter+0x113/0x200 drivers/net/tun.c:1996\nnew_sync_write fs/read_write.c:593 [inline]\nvfs_write+0x5c9/0xb30 fs/read_write.c:686\nksys_write+0x145/0x250 fs/read_write.c:738\ndo_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]\ndo_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94\nentry_SYSCALL_64_after_hwframe+0x77/0x7f\n</TASK>\nAllocated by task 6079:\nkasan_save_stack mm/kasan/common.c:47 [inline]\nkasan_save_track+0x3e/0x80 mm/kasan/common.c:68\nunpoison_slab_object mm/kasan/common.c:330 [inline]\n__kasan_mempool_unpoison_object+0xa0/0x170 mm/kasan/common.c:558\nkasan_mempool_unpoison_object include/linux/kasan.h:388 [inline]\nnapi_skb_cache_get+0x37b/0x6d0 net/core/skbuff.c:295\n__alloc_skb+0x11e/0x2d0 net/core/skbuff.c:657\nnapi_alloc_skb+0x84/0x7d0 net/core/skbuff.c:811\nnapi_get_frags+0x69/0x140 net/core/gro.c:673\ntun_napi_alloc_frags drivers/net/tun.c:1404 [inline]\ntun_get_user+0x77c/0x3e20 drivers/net/tun.c:1784\ntun_chr_write_iter+0x113/0x200 drivers/net/tun.c:1996\nnew_sync_write fs/read_write.c:593 [inline]\nvfs_write+0x5c9/0xb30 fs/read_write.c:686\nksys_write+0x145/0x250 fs/read_write.c:738\ndo_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]\ndo_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94\nentry_SYSCALL_64_after_hwframe+0x77/0x7f\nFreed by task 6079:\nkasan_save_stack mm/kasan/common.c:47 [inline]\nkasan_save_track+0x3e/0x80 mm/kasan/common.c:68\nkasan_save_free_info+0x46/0x50 mm/kasan/generic.c:576\npoison_slab_object mm/kasan/common.c:243 [inline]\n__kasan_slab_free+0x5b/0x80 mm/kasan/common.c:275\nkasan_slab_free include/linux/kasan.h:233 [inline]\nslab_free_hook mm/slub.c:2422 [inline]\nslab_free mm/slub.c:4695 [inline]\nkmem_cache_free+0x18f/0x400 mm/slub.c:4797\nskb_pp_cow_data+0xdd8/0x13e0 net/core/skbuff.c:969\nnetif_skb_check_for_xdp net/core/dev.c:5390 [inline]\nnetif_receive_generic_xdp net/core/dev.c:5431 [inline]\ndo_xdp_generic+0x699/0x11a0 net/core/dev.c:5499\ntun_get_user+0x2523/0x3e20 drivers/net/tun.c:1872\ntun_chr_write_iter+0x113/0x200 drivers/net/tun.c:1996\nnew_sync_write fs/read_write.c:593 [inline]\nvfs_write+0x5c9/0xb30 fs/read_write.c:686\nksys_write+0x145/0x250 fs/read_write.c:738\ndo_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]\ndo_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94\nentry_SYSCALL_64_after_hwframe+0x77/0x7f\nAfter commit e6d5dbdd20aa (\"xdp: add multi-buff support for xdp running in\ngeneric mode\"), the original skb may be freed in skb_pp_cow_data() when\nXDP program was attached, which was allocated in tun_napi_alloc_frags().\nHowever, the napi->skb still point to the original skb, update it after\nXDP process.", "A use-after-free flaw was found in tun_get_user in drivers/net/tun.c in  network TUNnel module in Linux kernel. This flaw could allow an attacker to crash the system at device disconnect. This vulnerability could even lead to a kernel information leak problem." ],
  "affected_release" : [ {
    "product_name" : "Red Hat Enterprise Linux 10",
    "release_date" : "2025-12-17T00:00:00Z",
    "advisory" : "RHSA-2025:23279",
    "cpe" : "cpe:/o:redhat:enterprise_linux:10.1",
    "package" : "kernel-0:6.12.0-124.21.1.el10_1"
  }, {
    "product_name" : "Red Hat Enterprise Linux 10.0 Extended Update Support",
    "release_date" : "2025-12-17T00:00:00Z",
    "advisory" : "RHSA-2025:23250",
    "cpe" : "cpe:/o:redhat:enterprise_linux_eus:10.0",
    "package" : "kernel-0:6.12.0-55.50.1.el10_0"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat Enterprise Linux 6",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Not affected",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Not affected",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Not affected",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2025-39984\nhttps://nvd.nist.gov/vuln/detail/CVE-2025-39984\nhttps://lore.kernel.org/linux-cve-announce/2025101500-CVE-2025-39984-2d3f@gregkh/T" ],
  "name" : "CVE-2025-39984",
  "mitigation" : {
    "value" : "Mitigation for this issue is either not available or the currently\navailable options don't meet the Red Hat Product Security criteria\ncomprising ease of use and deployment, applicability to widespread\ninstallation base or stability.",
    "lang" : "en:us"
  },
  "csaw" : false
}