CVE-2025-38588

In the Linux kernel, the following vulnerability has been resolved: ipv6: prevent infinite loop in rt6_nlmsg_size() While testing prior patch, I was able to trigger an infinite loop in rt6_nlmsg_size() in the following place: list_for_each_entry_rcu(sibling, &f6i->fib6_siblings, fib6_siblings) { rt6_nh_nlmsg_size(sibling->fib6_nh, &nexthop_len); } This is because fib6_del_route() and fib6_add_rt2node() uses list_del_rcu(), which can confuse rcu readers, because they might no longer see the head of the list. Restart the loop if f6i->fib6_nsiblings is zero.

CVSS v3 5.5 MEDIUM

5.5^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 1.8 / Impact : 3.6

Attack Vector LOCAL

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://git.kernel.org/stable/c/3c13db3e47e170bab19e574404e7b6be45ea873d	Patch
https://git.kernel.org/stable/c/46aeb66e9e54ed0d56c18615e1c3dbd502b327ab	Patch
https://git.kernel.org/stable/c/54e6fe9dd3b0e7c481c2228782c9494d653546da	Patch
https://git.kernel.org/stable/c/6d345136c9b875f065d226908a29c25cdf9343f8	Patch
https://git.kernel.org/stable/c/cd8d8bbd9ced4cc5d06d858f67d4aa87745e8f38	Patch
https://git.kernel.org/stable/c/e1b7932af47f92432be8303d2439d1bf77b0be23	Patch
https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html	Third Party Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::

Configuration 2 (hide)

cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*

History

No history.

Information

Published : 2025-08-19 17:15

Updated : 2026-01-07 18:44

NVD link : CVE-2025-38588

Mitre link : CVE-2025-38588

CVE.ORG link : CVE-2025-38588

JSON object : View

Products Affected

debian

debian_linux

linux

linux_kernel

CWE

CWE-835

Loop with Unreachable Exit Condition ('Infinite Loop')

{"id": "CVE-2025-38588", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.5, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 1.8}]}, "published": "2025-08-19T17:15:36.383", "references": [{"url": "https://git.kernel.org/stable/c/3c13db3e47e170bab19e574404e7b6be45ea873d", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/46aeb66e9e54ed0d56c18615e1c3dbd502b327ab", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/54e6fe9dd3b0e7c481c2228782c9494d653546da", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/6d345136c9b875f065d226908a29c25cdf9343f8", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/cd8d8bbd9ced4cc5d06d858f67d4aa87745e8f38", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/e1b7932af47f92432be8303d2439d1bf77b0be23", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html", "tags": ["Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-835"}]}], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nipv6: prevent infinite loop in rt6_nlmsg_size()\n\nWhile testing prior patch, I was able to trigger\nan infinite loop in rt6_nlmsg_size() in the following place:\n\nlist_for_each_entry_rcu(sibling, &f6i->fib6_siblings,\n\t\t\tfib6_siblings) {\n\trt6_nh_nlmsg_size(sibling->fib6_nh, &nexthop_len);\n}\n\nThis is because fib6_del_route() and fib6_add_rt2node()\nuses list_del_rcu(), which can confuse rcu readers,\nbecause they might no longer see the head of the list.\n\nRestart the loop if f6i->fib6_nsiblings is zero."}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: ipv6: evitar bucle infinito en rt6_nlmsg_size(). Durante las pruebas del parche anterior, logr\u00e9 activar un bucle infinito en rt6_nlmsg_size() en el siguiente lugar: list_for_each_entry_rcu(sibling, &f6i->fib6_siblings, fib6_siblings) { rt6_nh_nlmsg_size(sibling->fib6_nh, &nexthop_len); }. Esto se debe a que fib6_del_route() y fib6_add_rt2node() usan list_del_rcu(), lo que puede confundir a los lectores de rcu, ya que podr\u00edan dejar de ver el encabezado de la lista. Reinicie el bucle si f6i->fib6_nsiblings es cero."}], "lastModified": "2026-01-07T18:44:49.737", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "DC2E93F9-382A-4A22-8F04-E49BFEA01AD1", "versionEndExcluding": "6.1.148", "versionStartIncluding": "6.1.128"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "DFFD570A-F58E-44C8-AD93-ED902388025E", "versionEndExcluding": "6.6.102", "versionStartIncluding": "6.6.75"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "4CBF5F6E-D446-4CAE-AAA4-413442319824", "versionEndExcluding": "6.12", "versionStartIncluding": "6.11.11"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "FAD298FC-9AEE-48B8-99E0-F5565B4A3680", "versionEndExcluding": "6.12.42", "versionStartIncluding": "6.12.2"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "5890C690-B295-40C2-9121-FF5F987E5142", "versionEndExcluding": "6.15.10", "versionStartIncluding": "6.13"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "58182352-D7DF-4CC9-841E-03C1D852C3FB", "versionEndExcluding": "6.16.1", "versionStartIncluding": "6.16"}], "operator": "OR"}]}, {"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "FA6FEEC2-9F11-4643-8827-749718254FED"}], "operator": "OR"}]}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}