Vulnerability Database

318,756

Total vulnerabilities in the database

CVE-2025-38665

In the Linux kernel, the following vulnerability has been resolved:

can: netlink: can_changelink(): fix NULL pointer deref of struct can_priv::do_set_mode

Andrei Lalaev reported a NULL pointer deref when a CAN device is restarted from Bus Off and the driver does not implement the struct can_priv::do_set_mode callback.

There are 2 code path that call struct can_priv::do_set_mode:

  • directly by a manual restart from the user space, via can_changelink()
  • delayed automatic restart after bus off (deactivated by default)

To prevent the NULL pointer deference, refuse a manual restart or configure the automatic restart delay in can_changelink() and report the error via extack to user space.

As an additional safety measure let can_restart() return an error if can_priv::do_set_mode is not set instead of dereferencing it unchecked.

  • Published: Aug 22, 2025
  • Updated: Jan 8, 2026
  • CVE: CVE-2025-38665
  • Severity: Medium
  • Exploit:

CVSS v3:

  • Severity: Medium
  • Score: 5.5
  • AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

CWEs:

Software From Fixed in
linux / linux_kernel 2.6.31 6.1.148
linux / linux_kernel 6.2 6.6.101
linux / linux_kernel 6.7 6.12.41
linux / linux_kernel 6.13 6.15.9
linux / linux_kernel 6.16-rc1 6.16-rc1.x
linux / linux_kernel 6.16-rc2 6.16-rc2.x
linux / linux_kernel 6.16-rc3 6.16-rc3.x
linux / linux_kernel 6.16-rc4 6.16-rc4.x
linux / linux_kernel 6.16-rc5 6.16-rc5.x
linux / linux_kernel 6.16-rc6 6.16-rc6.x
linux / linux_kernel 6.16-rc7 6.16-rc7.x
debian / debian_linux 11.0 11.0.x