CVE-2025-39978

Vulnerability

Details

In the Linux kernel's octeontx2-pf driver, the function otx2_tc_add_flow() contains a use-after-free bug. The code calls kfree_rcu(new_node, rcu) to schedule freeing of the new_node structure, but then immediately dereferences new_node on the next line. Because the RCU grace period may not have elapsed, the memory could be reused, leading to a use-after-free condition. The fix reorders the operations so that all dereferences occur before the kfree_rcu() call [1][2].

Exploitation

An attacker with local access to the system can trigger this vulnerability by adding a TC (traffic control) flow via the affected driver. No special privileges beyond the ability to interact with the network interface may be required, as the code path is reachable from user space through netlink or similar interfaces. The vulnerability does not require physical access or network-based exploitation.

Impact

Successful exploitation could allow an attacker to corrupt kernel memory, potentially leading to privilege escalation or a denial of service (system crash). The exact impact depends on the system configuration and the attacker's ability to control the freed memory.

Mitigation

The fix has been applied to the stable kernel trees as commits [1] and [2]. Users should update their Linux kernel to a version that includes these patches. No workaround is available; updating the kernel is the recommended mitigation.