Security tracker / CVE-2025-38248

CVE-2025-38248

bridge: mcast: Fix use-after-free during router port configuration

References

• Debian security tracker
• cve.org

Notes

 carnil> Introduced in 2796d846d74a ("net: bridge: vlan: convert mcast router global
 carnil> option to per-vlan entry")
 carnil> 4b30ae9adb04 ("net: bridge: mcast: re-implement br_multicast_{enable,
 carnil> disable}_port functions"). Vulnerable versions: 5.15.

Bugs

Status

Branch	Status
upstream	released (6.16-rc4) [7544f3f5b0b58c396f374d060898b5939da31709]
6.18-upstream-stable	N/A "Fixed before branching point"
6.17-upstream-stable	N/A "Fixed before branching point"
6.15-upstream-stable	released (6.15.5) [f05a4f9e959e0fc098046044c650acf897ea52d2]
6.12-upstream-stable	needed
6.6-upstream-stable	needed
6.1-upstream-stable	needed
5.10-upstream-stable	N/A "Vulnerable code not present"
sid	released (6.16.3-1)
6.12-trixie-security	needed
6.1-bookworm-security	needed
5.10-bullseye-security	N/A "Vulnerable code not present"