CVE-2025-38377 | rose: fix dangling neighbour pointers in rose_rt_device_down()

In the Linux kernel, the following vulnerability has been resolved: rose: fix dangling neighbour pointers in rose_rt_device_down() There are two bugs in rose_rt_device_down() that can cause use-after-free: 1. The loop bound `t->count` is modified within the loop, which can cause the loop to terminate early and miss some entries. 2. When removing an entry from the neighbour array, the subsequent entries are moved up to fill the gap, but the loop index `i` is still incremented, causing the next entry to be skipped. For example, if a node has three neighbours (A, A, B) with count=3 and A is being removed, the second A is not checked. i=0: (A, A, B) -> (A, B) with count=2 ^ checked i=1: (A, B) -> (A, B) with count=2 ^ checked (B, not A!) i=2: (doesn't occur because i < count is false) This leaves the second A in the array with count=2, but the rose_neigh structure has been freed. Code that accesses these entries assumes that the first `count` entries are valid pointers, causing a use-after-free when it accesses the dangling pointer. Fix both issues by iterating over the array in reverse order with a fixed loop bound. This ensures that all entries are examined and that the removal of an entry doesn't affect subsequent iterations.

Published: 2025-07-25 Last update: 2026-06-17 Assigner: 416baaa9-dc9f-4396-8d5f-8c081fb06d67 Source: 416baaa9-dc9f-4396-8d5f-8c081fb06d67

Conclusion & alert: CVE-2025-38377 is rated Low Risk (33.1/100): CVSS High severity, with low exploitation likelihood (EPSS 0.16%). Mandatory action: Monitor for updates and reassess as exploit intelligence or EPSS changes.

Risk is dynamic; we continuously reassess and refresh what is shown on this page as upstream context changes.

Exploit prediction scoring system (EPSS) score for CVE-2025-38377

EPSS lead: Daily EPSS estimates relative likelihood of exploitation; percentile ranks this CVE among scored vulnerabilities (higher = more severe relative rank).

# Date Old EPSS score New EPSS score Delta (New - Old)
1 2026-06-15 0.05% 0.16% +0.11%
2 2026-05-21 0.03% 0.05% +0.02%
3 2025-12-19 0.03%

Full EPSS history (5 records total)

Common vulnerability scoring system (CVSS) metrics for CVE-2025-38377

CVSS metrics for this CVE.

Base score Version Severity Vector Exploitability Impact Score source
7.8 3.1 HIGH
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H Click to expand
Attack vector (AV:L)
They already need access on the box, or another person has to do something wrong; it’s not a remote drive-by.
Attack complexity (AC:L)
Once they can reach the bug, pulling it off is straightforward—no weird race conditions or rare setup.
Privileges required (PR:L)
A normal user session is enough; they don’t have to be admin.
User interaction (UI:N)
Nobody has to click “OK” or open a trap file; it can work without a victim helping.
Scope (S:U)
Damage stays in the same “trust bubble” as the broken component—no big spill into unrelated systems.
Confidentiality (C:H)
Serious risk that confidential data gets exposed in a big way.
Integrity (I:H)
They could widely tamper with or forge data—trust in the data is badly hurt.
Availability (A:H)
Could take the service down hard or make it unusable for people who depend on it.
1.8 5.9 [email protected]

Weakness enumeration for CVE-2025-38377

OS Trackers for CVE-2025-38377

vendor priority summary link
debian not yet assigned CVE-2025-38377 not yet assigned priority: Debian including 2 source packages (linux, linux-6.1), 6 status rows across 5 suites (bookworm, bullseye, forky, sid, trixie): resolved 6. https://security-tracker.debian.org/tracker/CVE-2025-38377
redhat https://access.redhat.com/security/cve/CVE-2025-38377
suse high CVE-2025-38377 severity important: SUSE including 482 source package names (2.1.3-6.67:kernel-default-base-6.4.0-32.1.21.10, 2.1.3-7.44:kernel-default-6.4.0-32.1, …), 1105 product×package rows across 208 product lines (Container suse/sl-micro/6.0/base-os-container, Container suse/sl-micro/6.0/kvm-os-container, … (208 product lines)): Fixed 627, Known Affected 231, Will Not Fix 131, Known Not Affected 95, First Fixed 21. https://www.suse.com/security/cve/CVE-2025-38377/
ubuntu medium CVE-2025-38377 medium priority: Ubuntu including 158 source packages (linux, linux-allwinner-5.19, …), 1414 status rows across 9 suites (bionic, focal, jammy, noble, plucky, questing, trusty, upstream, xenial): DNE 1017, released 170, ignored 159, needed 44, not-affected 21, needs-triage 2, pending 1. https://ubuntu.com/security/CVE-2025-38377

Affected software / configurations for CVE-2025-38377

Vendor Product Version Raw CPE
linux linux_kernel >= 2.6.13, < 5.4.296 cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
linux linux_kernel >= 5.5, < 5.10.240 cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
linux linux_kernel >= 5.11, < 5.15.187 cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
linux linux_kernel >= 5.16, < 6.1.144 cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
linux linux_kernel >= 6.2, < 6.6.97 cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
linux linux_kernel >= 6.7, < 6.12.37 cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
linux linux_kernel >= 6.13, < 6.15.6 cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
linux linux_kernel 2.6.12 cpe:2.3:o:linux:linux_kernel:2.6.12:-:*:*:*:*:*:*
linux linux_kernel 2.6.12 cpe:2.3:o:linux:linux_kernel:2.6.12:rc2:*:*:*:*:*:*
linux linux_kernel 2.6.12 cpe:2.3:o:linux:linux_kernel:2.6.12:rc3:*:*:*:*:*:*
linux linux_kernel 2.6.12 cpe:2.3:o:linux:linux_kernel:2.6.12:rc4:*:*:*:*:*:*
linux linux_kernel 2.6.12 cpe:2.3:o:linux:linux_kernel:2.6.12:rc5:*:*:*:*:*:*
linux linux_kernel 6.16 cpe:2.3:o:linux:linux_kernel:6.16:rc1:*:*:*:*:*:*
linux linux_kernel 6.16 cpe:2.3:o:linux:linux_kernel:6.16:rc2:*:*:*:*:*:*
linux linux_kernel 6.16 cpe:2.3:o:linux:linux_kernel:6.16:rc3:*:*:*:*:*:*
linux linux_kernel 6.16 cpe:2.3:o:linux:linux_kernel:6.16:rc4:*:*:*:*:*:*
debian debian_linux 11.0 cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*

References for CVE-2025-38377

URL Tags
https://git.kernel.org/stable/c/2b952dbb32fef835756f07ff0cd77efbb836dfea Patch
https://git.kernel.org/stable/c/2c6c82ee074bfcfd1bc978ec45bfea37703d840a Patch
https://git.kernel.org/stable/c/34a500caf48c47d5171f4aa1f237da39b07c6157 Patch
https://git.kernel.org/stable/c/446ac00b86be1670838e513b643933d78837d8db Patch
https://git.kernel.org/stable/c/7a1841c9609377e989ec41c16551309ce79c39e4 Patch
https://git.kernel.org/stable/c/94e0918e39039c47ddceb609500817f7266be756 Patch
https://git.kernel.org/stable/c/b6b232e16e08c6dc120672b4753392df0d28c1b4 Patch
https://git.kernel.org/stable/c/fe62a35fb1f77f494ed534fc69a9043dc5a30ce1 Patch
https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html Mailing List Third Party Advisory
https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html Mailing List Third Party Advisory
cvelogic Threat Intelligence