Fixed
Created: Jul 28, 2025
Updated: Aug 10, 2025
Resolved Date: Aug 10, 2025
Found In Version: 10.24.33.1
Severity: Standard
Applicable for: Wind River Linux LTS 24
Component/s: Kernel
In the Linux kernel, the following vulnerability has been resolved:EOL][EOL]rose: fix dangling neighbour pointers in rose_rt_device_down()[EOL][EOL]There are two bugs in rose_rt_device_down() that can cause[EOL]use-after-free:[EOL][EOL]1. The loop bound `t->count` is modified within the loop, which can[EOL] cause the loop to terminate early and miss some entries.[EOL][EOL]2. When removing an entry from the neighbour array, the subsequent entries[EOL] are moved up to fill the gap, but the loop index `i` is still[EOL] incremented, causing the next entry to be skipped.[EOL][EOL]For example, if a node has three neighbours (A, A, B) with count=3 and A[EOL]is being removed, the second A is not checked.[EOL][EOL] i=0: (A, A, B) -> (A, B) with count=2[EOL] ^ checked[EOL] i=1: (A, B) -> (A, B) with count=2[EOL] ^ checked (B, not A!)[EOL] i=2: (doesn't occur because i < count is false)[EOL][EOL]This leaves the second A in the array with count=2, but the rose_neigh[EOL]structure has been freed. Code that accesses these entries assumes that[EOL]the first `count` entries are valid pointers, causing a use-after-free[EOL]when it accesses the dangling pointer.[EOL][EOL]Fix both issues by iterating over the array in reverse order with a fixed[EOL]loop bound. This ensures that all entries are examined and that the removal[EOL]of an entry doesn't affect subsequent iterations.
CREATE(Triage):(User=admin) [CVE-2025-38377 (https://nvd.nist.gov/vuln/detail/CVE-2025-38377)
