CVE-2025-40074

Vulnerability

Overview

CVE-2025-40074 is a use-after-free (UAF) vulnerability in the Linux kernel's IPv4 networking stack. The root cause is that certain functions—icmpv4_xrlim_allow(), ip_defrag(), ipmr_prepare_xmit(), ipmr_queue_fwd_xmit(), ip_mr_output(), and ipv4_neigh_lookup()—were accessing the dst->dev field without proper RCU protection. This could lead to a UAF condition when the network device is removed while the reference is still in use [1].

Exploitation and

Attack Surface

Exploitation requires an attacker to trigger a race condition between a network event (e.g., device removal) and the execution of one of the affected functions. The attack surface is local, as the vulnerability resides in kernel code reachable from user space via network operations. No special privileges are needed beyond the ability to send or receive network traffic, making it a potential vector for privilege escalation or denial of service [1].

Impact

A successful exploit could allow an attacker to cause a kernel crash (denial of service) or service) or potentially achieve arbitrary code execution in kernel context, depending on the specific UAF scenario. The vulnerability affects systems running unpatched Linux kernel versions prior to the fix [1].

Mitigation

The fix, introduced in commit 6ad8de3cefdb, replaces direct dst->dev accesses with the RCU-safe dst_dev_rcu() function, ensuring proper synchronization. Users should apply the latest stable kernel updates to remediate this issue [1].