CVE-2025-39978 - Vulnerability Details - OpenCVE

In the Linux kernel, the following vulnerability has been resolved: octeontx2-pf: Fix potential use after free in otx2_tc_add_flow() This code calls kfree_rcu(new_node, rcu) and then dereferences "new_node" and then dereferences it on the next line. Two lines later, we take a mutex so I don't think this is an RCU safe region. Re-order it to do the dereferences before queuing up the free.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

No data.

No data.

No data.

No data.

References

Link	Providers
https://git.kernel.org/stable/c/5723120423a753a220b8b2954b273838b9d7e74a
https://git.kernel.org/stable/c/a8a63f27c3a8a3714210d32b12fd0f16d0337414
https://git.kernel.org/stable/c/c41b2941a024d4ec7c768e16ffb10a74b188fced
https://git.kernel.org/stable/c/d9c70e93ec5988ab07ad2a92d9f9d12867f02c56
https://git.kernel.org/stable/c/df2c071061ed52d2225d97b212d27ecedf456b8a

History

Wed, 15 Oct 2025 08:00:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: octeontx2-pf: Fix potential use after free in otx2_tc_add_flow() This code calls kfree_rcu(new_node, rcu) and then dereferences "new_node" and then dereferences it on the next line. Two lines later, we take a mutex so I don't think this is an RCU safe region. Re-order it to do the dereferences before queuing up the free.
Title		octeontx2-pf: Fix potential use after free in otx2_tc_add_flow()
References		https://git.kernel.org/stable/c/5723120423a753a220b8b2954b273838b9d7e74a https://git.kernel.org/stable/c/a8a63f27c3a8a3714210d32b12fd0f16d0337414 https://git.kernel.org/stable/c/c41b2941a024d4ec7c768e16ffb10a74b188fced https://git.kernel.org/stable/c/d9c70e93ec5988ab07ad2a92d9f9d12867f02c56 https://git.kernel.org/stable/c/df2c071061ed52d2225d97b212d27ecedf456b8a

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2025-10-15T07:55:58.949Z

Updated: 2025-10-15T07:55:58.949Z

Reserved: 2025-04-16T07:20:57.150Z

Link: CVE-2025-39978

Vulnrichment

No data.

NVD

Status : Received

Published: 2025-10-15T08:15:35.640

Modified: 2025-10-15T08:15:35.640

Link: CVE-2025-39978

Redhat

No data.

OpenCVE Enrichment

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2025-39978", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2025-04-16T07:20:57.150Z", "datePublished": "2025-10-15T07:55:58.949Z", "dateUpdated": "2025-10-15T07:55:58.949Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2025-10-15T07:55:58.949Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nocteontx2-pf: Fix potential use after free in otx2_tc_add_flow()\n\nThis code calls kfree_rcu(new_node, rcu) and then dereferences \"new_node\"\nand then dereferences it on the next line. Two lines later, we take\na mutex so I don't think this is an RCU safe region. Re-order it to do\nthe dereferences before queuing up the free."}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/net/ethernet/marvell/octeontx2/nic/otx2_tc.c"], "versions": [{"version": "68fbff68dbea35f9e6f7649dd22fce492a5aedac", "lessThan": "5723120423a753a220b8b2954b273838b9d7e74a", "status": "affected", "versionType": "git"}, {"version": "68fbff68dbea35f9e6f7649dd22fce492a5aedac", "lessThan": "df2c071061ed52d2225d97b212d27ecedf456b8a", "status": "affected", "versionType": "git"}, {"version": "68fbff68dbea35f9e6f7649dd22fce492a5aedac", "lessThan": "c41b2941a024d4ec7c768e16ffb10a74b188fced", "status": "affected", "versionType": "git"}, {"version": "68fbff68dbea35f9e6f7649dd22fce492a5aedac", "lessThan": "a8a63f27c3a8a3714210d32b12fd0f16d0337414", "status": "affected", "versionType": "git"}, {"version": "68fbff68dbea35f9e6f7649dd22fce492a5aedac", "lessThan": "d9c70e93ec5988ab07ad2a92d9f9d12867f02c56", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/net/ethernet/marvell/octeontx2/nic/otx2_tc.c"], "versions": [{"version": "5.14", "status": "affected"}, {"version": "0", "lessThan": "5.14", "status": "unaffected", "versionType": "semver"}, {"version": "6.1.155", "lessThanOrEqual": "6.1.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.6.109", "lessThanOrEqual": "6.6.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.12.50", "lessThanOrEqual": "6.12.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.16.10", "lessThanOrEqual": "6.16.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.17", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.14", "versionEndExcluding": "6.1.155"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.14", "versionEndExcluding": "6.6.109"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.14", "versionEndExcluding": "6.12.50"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.14", "versionEndExcluding": "6.16.10"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.14", "versionEndExcluding": "6.17"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/5723120423a753a220b8b2954b273838b9d7e74a"}, {"url": "https://git.kernel.org/stable/c/df2c071061ed52d2225d97b212d27ecedf456b8a"}, {"url": "https://git.kernel.org/stable/c/c41b2941a024d4ec7c768e16ffb10a74b188fced"}, {"url": "https://git.kernel.org/stable/c/a8a63f27c3a8a3714210d32b12fd0f16d0337414"}, {"url": "https://git.kernel.org/stable/c/d9c70e93ec5988ab07ad2a92d9f9d12867f02c56"}], "title": "octeontx2-pf: Fix potential use after free in otx2_tc_add_flow()", "x_generator": {"engine": "bippy-1.2.0"}}}}