LiveActive security incident?Get immediate response
CVE Record

CVE-2025-38587: ipv6: fix possible infinite loop in fib6_info_uses_dev()

In the Linux kernel, the following vulnerability has been resolved: ipv6: fix possible infinite loop in fib6_info_uses_dev() fib6_info_uses_dev() seems to rely on RCU without an explicit protection. Like the prior fix in rt6_nlmsg_size(), we need to make sure fib6_del_route() or fib6_add_rt2node() have not removed the anchor from the list, or we risk an infinite loop.

UnknownCVSS not scoredNot KEV-listedUpdated
Glexia's TakeAutomated analysisunknown

Security readout for executives and security teams

Plain-English summary

This Linux kernel issue can cause an infinite loop in IPv6 routing code under specific route update conditions. The business concern is reliability: affected systems could hang or consume CPU in kernel networking paths. The sources do not provide CVSS, exploitability details, or evidence of active exploitation.

Executive priority

Treat this as a reliability-focused kernel patching item. Prioritize internet-facing, network-heavy, and IPv6-enabled Linux infrastructure, but do not classify it as emergency exploitation response based on the provided evidence.

Technical view

CVE-2025-38587 fixes a possible infinite loop in fib6_info_uses_dev(). The CVE text says the function relied on RCU without explicit protection and could loop if fib6_del_route() or fib6_add_rt2node() removed an anchor from a list.

Likely exposure

Exposure is limited to Linux systems running affected kernel versions or downstream packages that include the vulnerable IPv6 routing code. The bundle lists Linux kernel version and commit data but no CPEs, appliances, cloud images, or specific distributions beyond a Debian LTS advisory reference.

Exploitation context

The source bundle marks KEV as false and provides no cited evidence of exploitation in the wild. It also does not describe attacker prerequisites, reachability, or a proof of concept, so operational assessment should avoid assuming remote exploitability.

Researcher notes

The core evidence is the upstream kernel fix rationale: missing explicit RCU protection around list traversal could leave an anchor removed and cause an infinite loop. The bundle lacks CVSS, CWE, precise trigger conditions, and exploitability analysis.

Mitigation direction

  • Update affected Linux kernels using vendor or distribution security guidance.
  • Verify the deployed kernel includes the referenced stable fix commits.
  • Review Debian LTS and other distribution advisories for package-specific fixes.
  • Prioritize systems that rely on IPv6 routing or route churn.
  • Monitor vendor guidance for CVSS, exploitability, and backport clarifications.

Validation and detection

  • Inventory Linux kernel versions across servers, containers hosts, and appliances.
  • Compare versions against vendor advisories and the CVE version data.
  • Check kernel changelogs for the referenced stable commit IDs.
  • Confirm patched systems boot the expected fixed kernel package.
  • Review logs for kernel soft lockups or IPv6 routing instability.
Prepared
Confidence
medium
Sources
9

Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.

Potential ATT&CK relevance

Conservative CVE-to-ATT&CK context

These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.

ATT&CK lookup starting points

Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.

cve · low confidence lookup

CVE-2025-38587 mapping review

Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.

Open ATT&CK lookup
Vulnerability profileCVE Program record
Severity
Unknown
CVSS
Not scored
Known Exploited
No
Published
Official CVE source material

CNA and ADP enrichment extracted from CVE v5

These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.

0CVSS vectors
3Timeline events
1ADP providers
8Source links

Vulnerability timeline

Timeline events are normalized from CVE metadata, CNA source timelines, ADP timelines, and KEV metadata when present.

  1. CVE reservedCVE Program

    The CVE ID was reserved by the assigning CNA.

  2. CVE publishedCVE Program

    The CVE record was published.

  3. CVE updatedCVE Program

    The CVE record metadata indicates this as the latest update time.

ADP provider summaries

CVECVE Program Container
Affected products

Products and packages named in the record

VendorProductVersion / packageStatus
LinuxLinuxd0ec61c9f3583b76aebdbb271f5c0d3fcccd48b2, 52da02521ede55fb86546c3fffd9377b3261b91f, 34a949e7a0869dfa31a40416d2a56973fae1807b, d9ccb18f83ea2bb654289b6ecf014fd267cc988b, d9ccb18f83ea2bb654289b6ecf014fd267cc988b, d9ccb18f83ea2bb654289b6ecf014fd267cc988b, 11edcd026012ac18acee0f1514db3ed1b160fc6f, 6.1.128, 6.6.75, 6.12.2, 6.11.11unaffected
LinuxLinux6.13, 0, 6.1.148, 6.6.102, 6.12.42, 6.15.10, 6.16.1, 6.17affected
Weakness

CWE details

No CWE listed

CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.