CVE-2025-39827
Description
In the Linux kernel, the following vulnerability has been resolved:
net: rose: include node references in rose_neigh refcount
Current implementation maintains two separate reference counting mechanisms: the 'count' field in struct rose_neigh tracks references from rose_node structures, while the 'use' field (now refcount_t) tracks references from rose_sock.
This patch merges these two reference counting systems using 'use' field for proper reference management. Specifically, this patch adds incrementing and decrementing of rose_neigh->use when rose_neigh->count is incremented or decremented.
This patch also modifies rose_rt_free(), rose_rt_device_down() and rose_clear_route() to properly release references to rose_neigh objects before freeing a rose_node through rose_remove_node().
These changes ensure rose_neigh structures are properly freed only when all references, including those from rose_node structures, are released. As a result, this resolves a slab-use-after-free issue reported by Syzbot.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A use-after-free in Linux kernel's ROSE protocol due to improper reference counting can lead to system crash or information disclosure.
Vulnerability
The vulnerability resides in the Linux kernel's ROSE (amateur radio AX.25) protocol implementation. The struct rose_neigh maintained two separate reference counters: count for references from rose_node structures and use for references from rose_sock. This separation allowed the count to be decremented without adjusting the use refcount, leading to premature freeing of rose_neigh objects while still referenced.
Exploitation
The issue can be triggered when functions such as rose_rt_free(), rose_rt_device_down(), or rose_clear_route() release a rose_node without properly releasing the associated rose_neigh through the use refcount. An attacker with local access to a system using the ROSE protocol could potentially trigger the vulnerable code path.
Impact
A successful exploit results in a slab-use-after-free condition, which could cause a kernel crash or potentially allow an attacker to escalate privileges or leak sensitive kernel memory.
Mitigation
The fix merges the two reference counting systems into the use field and modifies the relevant functions to correctly release references before freeing nodes. Patches have been committed to the Linux kernel stable tree. Users should apply the latest kernel updates to mitigate the risk. According to a Siemens ProductCERT advisory, this vulnerability also affects SIMATIC CN 4100 devices [1].
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Linux/Linuxv5Range: 2.6.12
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
7- git.kernel.org/stable/c/384210cceb1873a4c8218b27ba0745444436b728nvdPatch
- git.kernel.org/stable/c/4cce478c3e82a5fc788d72adb2f4c4e983997639nvdPatch
- git.kernel.org/stable/c/9c547c8eee9d1cf6e744611d688b9f725cf9a115nvdPatch
- git.kernel.org/stable/c/d7563b456ed44151e1a82091d96f60166daea89bnvdPatch
- git.kernel.org/stable/c/da9c9c877597170b929a6121a68dcd3dd9a80f45nvdPatch
- lists.debian.org/debian-lts-announce/2025/10/msg00008.htmlnvdThird Party Advisory
- cert-portal.siemens.com/productcert/html/ssa-032379.htmlnvd
News mentions
1- Siemens SIMATICCISA ICS Advisories