CVE-2025-40074

Отчет

The patch replaces non-RCU-safe dst_dev() usages with dst_dev_rcu() and wraps lookups with proper rcu_read_lock(). Without this, concurrency with route/device teardown could yield a dangling dst->dev and a kernel use-after-free, crashing the host. Remote packets can reach these code paths (ICMP, IPv4 defrag, multicast), but a practical trigger typically requires concurrent routing/device changes on the host (admin action), hence for the CVSS the AC:H and most likely DoS-only impact. This issue cannot be reliably triggered by sending crafted packets alone — successful exploitation requires concurrent privileged/server-side actions (e.g. route/interface removal, driver unbind or network-namespace teardown) that change or free the dst->dev while packet processing is underway. A purely unprivileged remote actor cannot force those conditions on a correctly configured system. Triggering this issue in practice typically requires server-side conditions — for example concurrent route/interface changes, netns teardown, or device removal — to occur while packets are being processed. This makes reliable exploitation difficult and confines the risk mainly to DoS. Remote exploitation with a single packet without privileged actions on the host is not expected.