CVE-2025-22005

ipv6: Fix memleak of nhc_pcpu_rth_output in fib_check_nh_v6_gw().

Description

In the Linux kernel, the following vulnerability has been resolved: ipv6: Fix memleak of nhc_pcpu_rth_output in fib_check_nh_v6_gw(). fib_check_nh_v6_gw() expects that fib6_nh_init() cleans up everything when it fails. Commit 7dd73168e273 ("ipv6: Always allocate pcpu memory in a fib6_nh") moved fib_nh_common_init() before alloc_percpu_gfp() within fib6_nh_init() but forgot to add cleanup for fib6_nh->nh_common.nhc_pcpu_rth_output in case it fails to allocate fib6_nh->rt6i_pcpu, resulting in memleak. Let's call fib_nh_common_release() and clear nhc_pcpu_rth_output in the error path. Note that we can remove the fib6_nh_release() call in nh_create_ipv6() later in net-next.git.

Category

5.5
CVSS
Severity: Medium
CVSS 3.1 •
EPSS 0.01%
Affected: Linux Linux
Affected: Linux Linux
Published at:
Updated at:

References

Link Tags
https://git.kernel.org/stable/c/16267a5036173d0173377545b4b6021b081d0933 patch
https://git.kernel.org/stable/c/1bd12dfc058e1e68759d313d7727d68dbc1b8964 patch
https://git.kernel.org/stable/c/596a883c4ce2d2e9c175f25b98fed3a1f33fea38 patch
https://git.kernel.org/stable/c/77c41cdbe6bce476e08d3251c0d501feaf10a9f3 patch
https://git.kernel.org/stable/c/119dcafe36795a15ae53351cbbd6177aaf94ffef patch
https://git.kernel.org/stable/c/29d91820184d5cbc70f3246d4911d96eaeb930d6 patch
https://git.kernel.org/stable/c/d3d5b4b5ae263c3225db363ba08b937e2e2b0380 patch
https://git.kernel.org/stable/c/9740890ee20e01f99ff1dde84c63dcf089fabb98 patch

Frequently Asked Questions

What is the severity of CVE-2025-22005?
CVE-2025-22005 has been scored as a medium severity vulnerability.
How to fix CVE-2025-22005?
To fix CVE-2025-22005, make sure you are using an up-to-date version of the affected component(s) by checking the vendor release notes. As for now, there are no other specific guidelines available.
Is CVE-2025-22005 being actively exploited in the wild?
As for now, there are no information to confirm that CVE-2025-22005 is being actively exploited. According to its EPSS score, there is a ~0% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2025-22005?
CVE-2025-22005 affects Linux Linux, Linux Linux.
This platform uses data from the NIST NVD, MITRE CVE, MITRE CWE, First.org and CISA KEV but is not endorsed or certified by these entities. CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site.
© 2025 Under My Watch. All Rights Reserved.