{"resultsPerPage":1,"startIndex":0,"totalResults":1,"format":"NVD_CVE","version":"2.0","timestamp":"2026-05-09T02:52:56.502","vulnerabilities":[{"cve":{"id":"CVE-2025-38666","sourceIdentifier":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","published":"2025-08-22T16:15:42.000","lastModified":"2026-01-07T17:31:53.137","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nnet: appletalk: Fix use-after-free in AARP proxy probe\n\nThe AARP proxy‐probe routine (aarp_proxy_probe_network) sends a probe,\nreleases the aarp_lock, sleeps, then re-acquires the lock. During that\nwindow an expire timer thread (__aarp_expire_timer) can remove and\nkfree() the same entry, leading to a use-after-free.\n\nrace condition:\n\n cpu 0 | cpu 1\n atalk_sendmsg() | atif_proxy_probe_device()\n aarp_send_ddp() | aarp_proxy_probe_network()\n mod_timer() | lock(aarp_lock) // LOCK!!\n timeout around 200ms | alloc(aarp_entry)\n and then call | proxies[hash] = aarp_entry\n aarp_expire_timeout() | aarp_send_probe()\n | unlock(aarp_lock) // UNLOCK!!\n lock(aarp_lock) // LOCK!! | msleep(100);\n __aarp_expire_timer(&proxies[ct]) |\n free(aarp_entry) |\n unlock(aarp_lock) // UNLOCK!! |\n | lock(aarp_lock) // LOCK!!\n | UAF aarp_entry !!\n\n==================================================================\nBUG: KASAN: slab-use-after-free in aarp_proxy_probe_network+0x560/0x630 net/appletalk/aarp.c:493\nRead of size 4 at addr ffff8880123aa360 by task repro/13278\n\nCPU: 3 UID: 0 PID: 13278 Comm: repro Not tainted 6.15.2 #3 PREEMPT(full)\nCall Trace:\n \n __dump_stack lib/dump_stack.c:94 [inline]\n dump_stack_lvl+0x116/0x1b0 lib/dump_stack.c:120\n print_address_description mm/kasan/report.c:408 [inline]\n print_report+0xc1/0x630 mm/kasan/report.c:521\n kasan_report+0xca/0x100 mm/kasan/report.c:634\n aarp_proxy_probe_network+0x560/0x630 net/appletalk/aarp.c:493\n atif_proxy_probe_device net/appletalk/ddp.c:332 [inline]\n atif_ioctl+0xb58/0x16c0 net/appletalk/ddp.c:857\n atalk_ioctl+0x198/0x2f0 net/appletalk/ddp.c:1818\n sock_do_ioctl+0xdc/0x260 net/socket.c:1190\n sock_ioctl+0x239/0x6a0 net/socket.c:1311\n vfs_ioctl fs/ioctl.c:51 [inline]\n __do_sys_ioctl fs/ioctl.c:906 [inline]\n __se_sys_ioctl fs/ioctl.c:892 [inline]\n __x64_sys_ioctl+0x194/0x200 fs/ioctl.c:892\n do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]\n do_syscall_64+0xcb/0x250 arch/x86/entry/syscall_64.c:94\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n \n\nAllocated:\n aarp_alloc net/appletalk/aarp.c:382 [inline]\n aarp_proxy_probe_network+0xd8/0x630 net/appletalk/aarp.c:468\n atif_proxy_probe_device net/appletalk/ddp.c:332 [inline]\n atif_ioctl+0xb58/0x16c0 net/appletalk/ddp.c:857\n atalk_ioctl+0x198/0x2f0 net/appletalk/ddp.c:1818\n\nFreed:\n kfree+0x148/0x4d0 mm/slub.c:4841\n __aarp_expire net/appletalk/aarp.c:90 [inline]\n __aarp_expire_timer net/appletalk/aarp.c:261 [inline]\n aarp_expire_timeout+0x480/0x6e0 net/appletalk/aarp.c:317\n\nThe buggy address belongs to the object at ffff8880123aa300\n which belongs to the cache kmalloc-192 of size 192\nThe buggy address is located 96 bytes inside of\n freed 192-byte region [ffff8880123aa300, ffff8880123aa3c0)\n\nMemory state around the buggy address:\n ffff8880123aa200: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\n ffff8880123aa280: 00 00 00 00 fc fc fc fc fc fc fc fc fc fc fc fc\n>ffff8880123aa300: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n ^\n ffff8880123aa380: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc\n ffff8880123aa400: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\n=================================================================="},{"lang":"es","value":"En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: net: appletalk: Corrección del use-after-free en la sonda de proxy AARP. La rutina de sonda de proxy AARP (aarp_proxy_probe_network) envía una sonda, libera el bloqueo aarp_lock, se suspende y luego vuelve a adquirir el bloqueo. Durante ese período, un subproceso del temporizador de expiración (__aarp_expire_timer) puede eliminar y ejecutar kfree() en la misma entrada, lo que provoca un use-after-free. condición de ejecución: cpu 0 | cpu 1 atalk_sendmsg() | atif_proxy_probe_device() aarp_send_ddp() | aarp_proxy_probe_network() mod_timer() | lock(aarp_lock) // ¡BLOQUEO! tiempo de espera de unos 200 ms | alloc(aarp_entry) y luego llamar a | proxies[hash] = aarp_entry aarp_expire_timeout() | aarp_send_probe() | unlock(aarp_lock) // ¡DESBLOQUEAR! lock(aarp_lock) // ¡BLOQUEAR! | msleep(100); __aarp_expire_timer(&proxies[ct]) | free(aarp_entry) | unlock(aarp_lock) // ¡DESBLOQUEAR! | | lock(aarp_lock) // ¡BLOQUEAR! | UAF aarp_entry !! ====================================================================== ERROR: KASAN: slab-use-after-free en aarp_proxy_probe_network+0x560/0x630 net/appletalk/aarp.c:493 Lectura de tamaño 4 en la dirección ffff8880123aa360 por la tarea repro/13278 CPU: 3 UID: 0 PID: 13278 Comm: repro No contaminado 6.15.2 #3 PREEMPT(full) Rastreo de llamadas: __dump_stack lib/dump_stack.c:94 [en línea] dump_stack_lvl+0x116/0x1b0 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:408 [en línea] print_report+0xc1/0x630 mm/kasan/report.c:521 kasan_report+0xca/0x100 mm/kasan/report.c:634 aarp_proxy_probe_network+0x560/0x630 net/appletalk/aarp.c:493 atif_proxy_probe_device net/appletalk/ddp.c:332 [en línea] atif_ioctl+0xb58/0x16c0 net/appletalk/ddp.c:857 atalk_ioctl+0x198/0x2f0 net/appletalk/ddp.c:1818 sock_do_ioctl+0xdc/0x260 net/socket.c:1190 sock_ioctl+0x239/0x6a0 net/socket.c:1311 vfs_ioctl fs/ioctl.c:51 [en línea] __do_sys_ioctl fs/ioctl.c:906 [en línea] __se_sys_ioctl fs/ioctl.c:892 [en línea] __x64_sys_ioctl+0x194/0x200 fs/ioctl.c:892 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [en línea] do_syscall_64+0xcb/0x250 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f Asignado: aarp_alloc net/appletalk/aarp.c:382 [en línea] aarp_proxy_probe_network+0xd8/0x630 net/appletalk/aarp.c:468 atif_proxy_probe_device net/appletalk/ddp.c:332 [en línea] atif_ioctl+0xb58/0x16c0 net/appletalk/ddp.c:857 atalk_ioctl+0x198/0x2f0 net/appletalk/ddp.c:1818 Liberado: kfree+0x148/0x4d0 mm/slub.c:4841 __aarp_expire net/appletalk/aarp.c:90 [inline] __aarp_expire_timer net/appletalk/aarp.c:261 [inline] aarp_expire_timeout+0x480/0x6e0 net/appletalk/aarp.c:317 La dirección con errores pertenece al objeto en ffff8880123aa300 que pertenece a la caché kmalloc-192 de tamaño 192 La dirección con errores se encuentra 96 bytes dentro de la región liberada de 192 bytes [ffff8880123aa300, ffff8880123aa3c0) Estado de la memoria alrededor de la dirección con errores: ffff8880123aa200: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ffff8880123aa280: 00 00 00 00 fc fc fc fc fc fc fc fc fc fc fc fc >ffff8880123aa300: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff8880123aa380: fb fb fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc ffff8880123aa400: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 =================================================================="}],"metrics":{"cvssMetricV31":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","baseScore":7.8,"baseSeverity":"HIGH","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":1.8,"impactScore":5.9}]},"weaknesses":[{"source":"nvd@nist.gov","type":"Primary","description":[{"lang":"en","value":"CWE-416"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"2.6.13","versionEndExcluding":"5.4.297","matchCriteriaId":"F9244D35-DE44-43CF-A62B-1D036E3477DD"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.5","versionEndExcluding":"5.10.241","matchCriteriaId":"D0D21C35-EB8A-488A-BBF9-403E4817E5DD"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.11","versionEndExcluding":"5.15.190","matchCriteriaId":"AD9E597F-3DDE-4D7E-976C-463D0611F13F"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.16","versionEndExcluding":"6.1.148","matchCriteriaId":"3E5B1B93-C244-4B54-B3AB-12C2635A443B"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.2","versionEndExcluding":"6.6.101","matchCriteriaId":"686C7A1C-35F3-495D-9825-94B5BCED2705"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.7","versionEndExcluding":"6.12.41","matchCriteriaId":"7B9B92B6-A7E5-4697-AB94-8432ED55AA05"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.13","versionEndExcluding":"6.15.9","matchCriteriaId":"656D6B8C-4D7B-4385-98B6-44EA4AFADD2E"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:2.6.12:-:*:*:*:*:*:*","matchCriteriaId":"6F62EECE-8FB1-4D57-85D8-CB9E23CF313C"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:2.6.12:rc2:*:*:*:*:*:*","matchCriteriaId":"4F76C298-81DC-43E4-8FC9-DC005A2116EF"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:2.6.12:rc3:*:*:*:*:*:*","matchCriteriaId":"0AB349B2-3F78-4197-882B-90ADB3BF645A"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:2.6.12:rc4:*:*:*:*:*:*","matchCriteriaId":"6AC88830-A9BC-4607-B572-A4B502FC9FD0"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:2.6.12:rc5:*:*:*:*:*:*","matchCriteriaId":"476CB3A5-D022-4F13-AAEF-CB6A5785516A"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:6.16:rc1:*:*:*:*:*:*","matchCriteriaId":"6D4894DB-CCFE-4602-B1BF-3960B2E19A01"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:6.16:rc2:*:*:*:*:*:*","matchCriteriaId":"09709862-E348-4378-8632-5A7813EDDC86"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:6.16:rc3:*:*:*:*:*:*","matchCriteriaId":"415BF58A-8197-43F5-B3D7-D1D63057A26E"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:6.16:rc4:*:*:*:*:*:*","matchCriteriaId":"A0517869-312D-4429-80C2-561086E1421C"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:6.16:rc5:*:*:*:*:*:*","matchCriteriaId":"85421F4E-C863-4ABF-B4B4-E887CC2F7F92"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:6.16:rc6:*:*:*:*:*:*","matchCriteriaId":"3827F0D4-5FEE-4181-B267-5A45E7CA11FC"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:6.16:rc7:*:*:*:*:*:*","matchCriteriaId":"7A9C2DE5-43B8-4D73-BDB5-EA55C7671A52"}]}]},{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*","matchCriteriaId":"FA6FEEC2-9F11-4643-8827-749718254FED"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/186942d19c0222617ef61f50e1dba91e269a5963","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/2a6209e4649d45fd85d4193abc481911858ffc6f","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/5f02ea0f63dd38c41539ea290fcc1693c73aa8e5","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/6c4a92d07b0850342d3becf2e608f805e972467c","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/82d19a70ced28b17a38ebf1b6978c6c7db894979","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/b35694ffabb2af308a1f725d70f60fd8a47d1f3e","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/e4f1564c5b699eb89b3040688fd6b4e57922f1f6","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/f90b6bb203f3f38bf2b3d976113d51571df9a482","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html","source":"af854a3a-2127-422b-91ae-364da2661108","tags":["Third Party Advisory"]},{"url":"https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html","source":"af854a3a-2127-422b-91ae-364da2661108","tags":["Third Party Advisory"]}]}}]}