CVE-2025-40158

Vulnerability

Overview

CVE-2025-40158 is a use-after-free (UAF) vulnerability in the Linux kernel's IPv6 networking stack. The issue resides in the ip6_output() function, which previously did not properly protect the device (dst->dev) reference with RCU. This could lead to a UAF condition when the device is freed while still being accessed. The fix introduces RCU protection in ip6_output() by using dst_dev_rcu() to safely dereference the device reference, ensuring safe access under RCU read lock [1].

ExploitationThe vulnerability can be triggered during IPv6 packet output processing. An attacker would need to be able to send IPv6 traffic and trigger a device removal or namespace cleanup race condition. No authentication is required if the attacker can send packets to the system, but the race window is narrow. The attack surface is local or from a adjacent network, depending on the system's network configuration [1].

ImpactSuccessful exploitation could allow an attacker to cause a use-after-free, leading to a kernel crash (denial of service) or potentially arbitrary code execution with kernel privileges. The CVSS score is not provided, but UAF in kernel networking bugs are typically rated high or critical [1].

MitigationThe fix has been applied to the

Linux kernel stable tree as commit 0393f85c3241c19ba8550f04a812e7d19f6b3082. Users should update their kernel to a version containing this commit. No workaround is mentioned; the patch is the recommended mitigation [1].