CVE-2026-52925— vrf: Fix a potential NPD when removing a port from a VRF
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2026-52925
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
vrf: Fix a potential NPD when removing a port from a VRF
Source: NVD (National Vulnerability Database)
Vulnerability Description
In the Linux kernel, the following vulnerability has been resolved: vrf: Fix a potential NPD when removing a port from a VRF RCU readers that identified a net device as a VRF port using netif_is_l3_slave() assume that a subsequent call to netdev_master_upper_dev_get_rcu() will return a VRF device. They then continue to dereference its l3mdev operations. This assumption is not always correct and can result in a NPD [1]. There is no RCU synchronization when removing a port from a VRF, so it is possible for an RCU reader to see a new master device (e.g., a bridge) that does not have l3mdev operations. Fix by adding RCU synchronization after clearing the IFF_L3MDEV_SLAVE flag. Skip this synchronization when a net device is removed from a VRF as part of its deletion and when the VRF device itself is deleted. In the latter case an RCU grace period will pass by the time RTNL is released. [1] BUG: kernel NULL pointer dereference, address: 0000000000000000 [...] RIP: 0010:l3mdev_fib_table_rcu (net/l3mdev/l3mdev.c:181) [...] Call Trace: <TASK> l3mdev_fib_table_by_index (net/l3mdev/l3mdev.c:201 net/l3mdev/l3mdev.c:189) __inet_bind (net/ipv4/af_inet.c:499 (discriminator 3)) inet_bind_sk (net/ipv4/af_inet.c:469) __sys_bind (./include/linux/file.h:62 (discriminator 1) ./include/linux/file.h:83 (discriminator 1) net/socket.c:1951 (discriminator 1)) __x64_sys_bind (net/socket.c:1969 (discriminator 1) net/socket.c:1967 (discriminator 1) net/socket.c:1967 (discriminator 1)) do_syscall_64 (arch/x86/entry/syscall_64.c:63 (discriminator 1) arch/x86/entry/syscall_64.c:94 (discriminator 1)) entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130)
Source: NVD (National Vulnerability Database)
CVSS Information
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Type
N/A
Source: NVD (National Vulnerability Database)
Affected Products
II. Public POCs for CVE-2026-52925
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2026-52925
请登录查看更多情报信息。
Patches & Fixes for CVE-2026-52925 (5)
Other References for CVE-2026-52925 (3)
Same Patch Batch · Linux · 2026-06-24 · 219 CVEs total
| CVE-2026-52979 | net: psp: check for device unregister when creating assoc | |
| CVE-2026-52992 | fs/adfs: validate nzones in adfs_validate_bblk() | |
| CVE-2026-52993 | tipc: fix double-free in tipc_buf_append() | |
| CVE-2026-52991 | sched/psi: fix race between file release and pressure write | |
| CVE-2026-52990 | fsnotify: fix inode reference leak in fsnotify_recalc_mask() | |
| CVE-2026-52988 | netfilter: nf_tables: join hook list via splice_list_rcu() in commit phase | |
| CVE-2026-52989 | nvmet-tcp: propagate nvmet_tcp_build_pdu_iovec() errors to its callers | |
| CVE-2026-52987 | drm/amdgpu: avoid double drm_exec_fini() in userq validate | |
| CVE-2026-52986 | netfilter: nf_conntrack_sip: don't use simple_strtoul | |
| CVE-2026-52985 | netdevsim: zero initialize struct iphdr in dummy sk_buff | |
| CVE-2026-52984 | net/sched: netem: fix queue limit check to include reordered packets | |
| CVE-2026-52982 | net: usb: rtl8150: fix use-after-free in rtl8150_start_xmit() | |
| CVE-2026-52983 | net: airoha: fix BQL imbalance in TX path | |
| CVE-2026-52981 | neigh: let neigh_xmit take skb ownership | |
| CVE-2026-52969 | KVM: Reject wrapped offset in kvm_reset_dirty_gfn() | |
| CVE-2026-52971 | net: ena: PHC: Fix potential use-after-free in get_timestamp | |
| CVE-2026-52972 | crypto: af_alg - Cap AEAD AD length to 0x80000000 | |
| CVE-2026-52970 | netfilter: nft_ct: fix missing expect put in obj eval | |
| CVE-2026-52973 | futex: Drop CLONE_THREAD requirement for private default hash alloc | |
| CVE-2026-52968 | KVM: s390: pci: fix GAIT table indexing due to double-scaling pointer arithmetic |
Showing top 20 of 219 CVEs. View all on vendor page → →
IV. Related Vulnerabilities
Same product: Linux
- CVE-2026-53277
KVM: arm64: Take the SRCU lock for page table walks in fault - CVE-2026-53276
Bluetooth: ISO: Fix a use-after-free of the hci_conn pointer - CVE-2026-53275
ipv6: mcast: Fix use-after-free when processing MLD queries - CVE-2026-53274
net/smc: fix sleep-inside-lock in __smc_setsockopt() causing - CVE-2026-53273
tee: optee: prevent use-after-free when the client exits bef
Same vendor: Linux
- CVE-2026-53277
KVM: arm64: Take the SRCU lock for page table walks in fault - CVE-2026-53276
Bluetooth: ISO: Fix a use-after-free of the hci_conn pointer - CVE-2026-53275
ipv6: mcast: Fix use-after-free when processing MLD queries - CVE-2026-53274
net/smc: fix sleep-inside-lock in __smc_setsockopt() causing - CVE-2026-53273
tee: optee: prevent use-after-free when the client exits bef
V. Comments for CVE-2026-52925
No comments yet