High-Risk Vulnerability Alert: Linux Kernel XFRM Double Free Vulnerability CVE-2025-38500

High-Risk Vulnerability Alert: Linux Kernel XFRM Double Free Vulnerability CVE-2025-38500

Vulnerability Description:

In the XFRM interface, the collect_md attribute can only be set during device creation. Therefore, if change_link() is called on an interface of type collect_md, it should directly return a failure. However, the check that was originally intended to enforce this restriction is only performed when locate() returns xi, but locate() itself does not check for interfaces of type collect_md. As a result, this validation logic is never triggered. Consequently, when change_link is called, this special interface xi is incorrectly placed into the xfrmi_net->xfrmi hash table, while at the same time, this interface is also stored in the xfrmi_net->collect_md_xfrmi pointer. This leads to the same interface being freed twice during the destruction of the network namespace (net namespace), resulting in a double free issue, which attackers can exploit to achieve root local privilege escalation.

Attack Scenario:

Attackers may exploit the system through a local low-privilege user, utilizing the XFRM Double Free vulnerability to achieve root local privilege escalation.

Affected Products:

1. The issue was introduced in Linux Kernel version 6.1.

2. Linux Kernel 6.1.147 and earlier versions.

3. Linux Kernel 6.6.100 and earlier versions.

4. Linux Kernel 6.12.40 and earlier versions.

5. Linux Kernel 6.15.8 and earlier versions.

Exploitation Conditions:

Local low-privilege user.

Recommended Fix:

Users of affected kernel versions should upgrade to the following patched kernel versions:

6.1.148

6.6.101

6.12.41

6.15.9

Leave a Comment