CVE-2025-38587: ipv6: fix possible infinite loop in fib6_info_uses_dev()
In the Linux kernel, the following vulnerability has been resolved:
ipv6: fix possible infinite loop in fib6_info_uses_dev()
fib6_info_uses_dev() seems to rely on RCU without an explicit
protection.
Like the prior fix in rt6_nlmsg_size(),
we need to make sure fib6_del_route() or fib6_add_rt2node()
have not removed the anchor from the list, or we risk an infinite loop.
Security readout for executives and security teams
Plain-English summary
This Linux kernel issue can cause an infinite loop in IPv6 routing code under specific route update conditions. The business concern is reliability: affected systems could hang or consume CPU in kernel networking paths. The sources do not provide CVSS, exploitability details, or evidence of active exploitation.
Executive priority
Treat this as a reliability-focused kernel patching item. Prioritize internet-facing, network-heavy, and IPv6-enabled Linux infrastructure, but do not classify it as emergency exploitation response based on the provided evidence.
Technical view
CVE-2025-38587 fixes a possible infinite loop in fib6_info_uses_dev(). The CVE text says the function relied on RCU without explicit protection and could loop if fib6_del_route() or fib6_add_rt2node() removed an anchor from a list.
Likely exposure
Exposure is limited to Linux systems running affected kernel versions or downstream packages that include the vulnerable IPv6 routing code. The bundle lists Linux kernel version and commit data but no CPEs, appliances, cloud images, or specific distributions beyond a Debian LTS advisory reference.
Exploitation context
The source bundle marks KEV as false and provides no cited evidence of exploitation in the wild. It also does not describe attacker prerequisites, reachability, or a proof of concept, so operational assessment should avoid assuming remote exploitability.
Researcher notes
The core evidence is the upstream kernel fix rationale: missing explicit RCU protection around list traversal could leave an anchor removed and cause an infinite loop. The bundle lacks CVSS, CWE, precise trigger conditions, and exploitability analysis.
Mitigation direction
Update affected Linux kernels using vendor or distribution security guidance.
Verify the deployed kernel includes the referenced stable fix commits.
Review Debian LTS and other distribution advisories for package-specific fixes.
Prioritize systems that rely on IPv6 routing or route churn.
Monitor vendor guidance for CVSS, exploitability, and backport clarifications.
Validation and detection
Inventory Linux kernel versions across servers, containers hosts, and appliances.
Compare versions against vendor advisories and the CVE version data.
Check kernel changelogs for the referenced stable commit IDs.
Confirm patched systems boot the expected fixed kernel package.
Review logs for kernel soft lockups or IPv6 routing instability.
Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.
Potential ATT&CK relevance
Conservative CVE-to-ATT&CK context
These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.
ATT&CK lookup starting points
Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.
cve · low confidence lookup
CVE-2025-38587 mapping review
Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.
These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.
0CVSS vectors
3Timeline events
1ADP providers
8Source links
Vulnerability timeline
Timeline events are normalized from CVE metadata, CNA source timelines, ADP timelines, and KEV metadata when present.
CVE reservedCVE Program
The CVE ID was reserved by the assigning CNA.
CVE publishedCVE Program
The CVE record was published.
Aug 19, 2025, 17:03 UTC (UTC+00:00)
CVE updatedCVE Program
The CVE record metadata indicates this as the latest update time.