CVE-2025-40135

Root

Cause

The vulnerability resides in the Linux kernel's IPv6 network stack, specifically within the ip6_xmit() function. The function was not using proper RCU (Read-Copy-Update) protection when accessing the destination cache entry (dst). Without RCU, a race condition could occur where the dst structure is freed by another CPU while ip6_xmit() is still using it, leading to a use-after-free (UAF) condition. This is a classic memory safety issue in kernel networking code, where concurrent modification of the routing tables or neighbor discovery can cause the destination entry to be deallocated prematurely. The fix introduces RCU read-side critical sections and replaces a direct dereference with dst_dev_rcu() to safely obtain the device pointer under RCU protection [1][2].

Exploitation

Exploitation requires a local attacker with the ability to trigger IPv6 packet transmission (e.g., via a socket send) while simultaneously inducing a route or neighbour table change that causes the destination cache entry to be freed. No special privileges beyond basic network access are needed if the attacker can time the operations. The attack surface is the ip6_xmit() code path, which is exercised by any IPv6 socket call that results in sending a packet, such as sendto() or sendmsg(). The vulnerability does not require the attacker to be on the same machine's console; a remote attacker sending crafted packets could trigger the race if the kernel processes them concurrently with a route update [1][2].

Impact

A successful UAF exploit can lead to memory corruption, potentially resulting in a denial of service (kernel panic or crash) or, in more severe cases, arbitrary code execution in kernel context. This would give the attacker full control over the system, including the ability to bypass security mechanisms, read sensitive data, or install persistent malware. The CVSS score of 7.8 (High) reflects the potential for high impact on confidentiality, integrity, and availability [1][2].

Mitigation

The fix has been applied to the upstream Linux kernel via commits bd0905e2122e3680968cd0741966983490bf2ed3 and f69fec6287565fdeb61f65e700a1184352306943. Users should update to a kernel version containing these commits or backport the patches. No workaround is available; the only mitigation is to apply the kernel update [1][2].