CVE intelligence and bounded remediation
CVE-2025-21652 — In the Linux kernel, the following vulnerability has been resolved: ipvlan: Fix use-after-free in ipvlan_get_iflink()
In the Linux kernel, the following vulnerability has been resolved: ipvlan: Fix use-after-free in ipvlan_get_iflink(). syzbot presented an use-after-free report [0] regarding ipvlan and linkwatch. ipvlan does not hold a refcnt of the lower device unlike vlan and macvlan. If the linkwatch work is triggered for the ipvlan dev, the lower dev might have already been freed, resulting in UAF of ipvlan->phy_dev in ipvlan_get_iflink(). We can delay the lower dev unregistration like vlan and macvlan by holding the lower dev's refcnt in dev->netdev_ops->ndo_init() and releasing it in dev->priv_destructor(). Jakub pointed out calling .ndo_XXX after unregister_netdevice() has returned is error prone and suggested [1] addressing this UAF in the core by taking commit 750e51603395 ("net: avoid potential UAF in default_operstate()") further. Let's assume unregistering devices DOWN and use RCU protection in default_operstate() not to race with the device unregistration. [0]: BUG: KASAN: slab-use-after-free in ipvlan_get_iflink+0x84/0x88 drivers/net/ipvlan/ipvlan_main.c:353 Read of size 4 at addr ffff0000d768c0e0 by task kworker/u8:35/6944 CPU: 0 UID: 0 PID: 6944 Comm: kworker/u8:35 Not tainted 6.1…
- Severity
- High
- CVSS
- 7.8 (3.1)
- Published
- 2025-01-19
- CISA KEV
- Not currently listed
- Ecosystem
- linux/kernel
- Weaknesses
- CWE-416
Affected products
- linux / linux_kernel
- linux / linux_kernel / 6.13
Matched remediation archetype
Use-after-free, double free, and expired resource use
This catalog composition supplies bounded fallback guidance. Explicitly reviewed curated workflows load with the complete record below.
Check exposure
- Trace ownership, references, callbacks, asynchronous tasks, and teardown paths around the affected object or resource.
- Identify reachable inputs and timing or state transitions that can release the object while references remain.
- Confirm affected builds, allocators, feature flags, architectures, and process privileges.
Remediate safely
- Apply the maintained ownership or lifetime fix and rebuild all artifacts containing the affected native code.
- Use explicit ownership, safe reference management, cancellation and join semantics, and idempotent teardown.
- Add deterministic lifetime tests plus isolated sanitizer and concurrency coverage for shutdown and error paths.
Authoritative sources
Complete CVE record and remediation plan
The detailed catalog view below loads this exact record, its source evidence, and the full seven-phase agentic change plan.