{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2025-22103","assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","state":"PUBLISHED","assignerShortName":"Linux","dateReserved":"2024-12-29T08:45:45.819Z","datePublished":"2025-04-16T14:12:52.164Z","dateUpdated":"2026-05-11T21:13:01.492Z"},"containers":{"cna":{"providerMetadata":{"orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux","dateUpdated":"2026-05-11T21:13:01.492Z"},"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nnet: fix NULL pointer dereference in l3mdev_l3_rcv\n\nWhen delete l3s ipvlan:\n\n ip link del link eth0 ipvlan1 type ipvlan mode l3s\n\nThis may cause a null pointer dereference:\n\n Call trace:\n ip_rcv_finish+0x48/0xd0\n ip_rcv+0x5c/0x100\n __netif_receive_skb_one_core+0x64/0xb0\n __netif_receive_skb+0x20/0x80\n process_backlog+0xb4/0x204\n napi_poll+0xe8/0x294\n net_rx_action+0xd8/0x22c\n __do_softirq+0x12c/0x354\n\nThis is because l3mdev_l3_rcv() visit dev->l3mdev_ops after\nipvlan_l3s_unregister() assign the dev->l3mdev_ops to NULL. The process\nlike this:\n\n (CPU1) | (CPU2)\n l3mdev_l3_rcv() |\n check dev->priv_flags: |\n master = skb->dev; |\n |\n | ipvlan_l3s_unregister()\n | set dev->priv_flags\n | dev->l3mdev_ops = NULL;\n |\n visit master->l3mdev_ops |\n\nTo avoid this by do not set dev->l3mdev_ops when unregister l3s ipvlan."}],"affected":[{"product":"Linux","vendor":"Linux","defaultStatus":"unaffected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["drivers/net/ipvlan/ipvlan_l3s.c"],"versions":[{"version":"c675e06a98a474f7ad0af32ce467613da818da52","lessThan":"52b44d8c653459c658b733d13658afdde45f6836","status":"affected","versionType":"git"},{"version":"c675e06a98a474f7ad0af32ce467613da818da52","lessThan":"59599bce44af3df7a215ebc81cb166426e1c9204","status":"affected","versionType":"git"},{"version":"c675e06a98a474f7ad0af32ce467613da818da52","lessThan":"f9dff65140efc289f01bcf39c3ca66a8806b6132","status":"affected","versionType":"git"},{"version":"c675e06a98a474f7ad0af32ce467613da818da52","lessThan":"0032c99e83b9ce6d5995d65900aa4b6ffb501cce","status":"affected","versionType":"git"}]},{"product":"Linux","vendor":"Linux","defaultStatus":"affected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["drivers/net/ipvlan/ipvlan_l3s.c"],"versions":[{"version":"5.1","status":"affected"},{"version":"0","lessThan":"5.1","status":"unaffected","versionType":"semver"},{"version":"6.6.117","lessThanOrEqual":"6.6.*","status":"unaffected","versionType":"semver"},{"version":"6.12.46","lessThanOrEqual":"6.12.*","status":"unaffected","versionType":"semver"},{"version":"6.14.2","lessThanOrEqual":"6.14.*","status":"unaffected","versionType":"semver"},{"version":"6.15","lessThanOrEqual":"*","status":"unaffected","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.1","versionEndExcluding":"6.6.117"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.1","versionEndExcluding":"6.12.46"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.1","versionEndExcluding":"6.14.2"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.1","versionEndExcluding":"6.15"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/52b44d8c653459c658b733d13658afdde45f6836"},{"url":"https://git.kernel.org/stable/c/59599bce44af3df7a215ebc81cb166426e1c9204"},{"url":"https://git.kernel.org/stable/c/f9dff65140efc289f01bcf39c3ca66a8806b6132"},{"url":"https://git.kernel.org/stable/c/0032c99e83b9ce6d5995d65900aa4b6ffb501cce"}],"title":"net: fix NULL pointer dereference in l3mdev_l3_rcv","x_generator":{"engine":"bippy-1.2.0"}}}}