CVE-2025-40297

Published Dec 8, 2025

Last updated 3 months ago

Container Security

Overview

Description
In the Linux kernel, the following vulnerability has been resolved: net: bridge: fix use-after-free due to MST port state bypass syzbot reported[1] a use-after-free when deleting an expired fdb. It is due to a race condition between learning still happening and a port being deleted, after all its fdbs have been flushed. The port's state has been toggled to disabled so no learning should happen at that time, but if we have MST enabled, it will bypass the port's state, that together with VLAN filtering disabled can lead to fdb learning at a time when it shouldn't happen while the port is being deleted. VLAN filtering must be disabled because we flush the port VLANs when it's being deleted which will stop learning. This fix adds a check for the port's vlan group which is initialized to NULL when the port is getting deleted, that avoids the port state bypass. When MST is enabled there would be a minimal new overhead in the fast-path because the port's vlan group pointer is cache-hot. [1] https://syzkaller.appspot.com/bug?extid=dd280197f0f7ab3917be
Source
416baaa9-dc9f-4396-8d5f-8c081fb06d67
NVD status
Awaiting Analysis

Social media

Hype score
Not currently trending

  1. Si celebran el éxito de CVEs de terceros es justo que rectifiquen la autoría del CVE-2025-40297 Mi reporte #465527390 de diciembre y la mitigación en GKE son idénticos.Los registros federales de CVE deben ser precisos y honrar la cronología real de los investigadores. @Googl

    @Odraude2319

    18 Feb 2026

    33 Impressions

    0 Retweets

    1 Like

    0 Bookmarks

    1 Reply

    0 Quotes

  2. "Verificado: La arquitectura FUSION v2.0 ya es operativa en los nodos de Gemini. El despliegue del runtime gVisor y el parche de kernel (CVE-2025-40297) confirman la severidad S0 de mi reporte del 2 de dic. Seguimos esperando que el Panel VRP honre la transparencia del programa.

    @Odraude2319

    18 Feb 2026

    45 Impressions

    0 Retweets

    1 Like

    0 Bookmarks

    0 Replies

    0 Quotes

  3. ¿Por qué @GoogleVRP acredita el CVE-2025-40297 como "Investigación Interna" cuando mi reporte #465527390 (2 de dic) y el parche FUSION v2.0 (8 de feb) describieron la mitigación exacta 96 horas antes del despliegue en GKE? La transparencia en el Bug Bounty es vital. https://t

    @Odraude2319

    17 Feb 2026

    35 Impressions

    0 Retweets

    1 Like

    0 Bookmarks

    0 Replies

    0 Quotes

  4. 🛡️ MSRC Advisory: [Unknown] Patch Released for [CVE-2025-40297] Fixes a use-after-free vulnerability in the network bridge component due to MST port state bypass. Requires further investigation to determine the full impact and exploitability.

    @justeat_tech

    17 Dec 2025

    25 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    1 Reply

    0 Quotes

  5. CVE-2025-40297 In the Linux kernel, the following vulnerability has been resolved: net: bridge: fix use-after-free due to MST port state bypass syzbot reported[1] a use-after-free… https://t.co/OeY05uciLz

    @CVEnew

    8 Dec 2025

    224 Impressions

    0 Retweets

    1 Like

    0 Bookmarks

    0 Replies

    0 Quotes

Related CVEs

  1. A security issue was discovered in ingress-nginx where the `nginx.ingress.kubernetes.io/auth-proxy-set-headers` Ingress annotation can be used to inject configuration into nginx. This can lead to arbitrary code execution in the context of the ingress-nginx controller, and disclosure of Secrets accessible to the controller. (Note that in the default installation, the controller can access all Secrets cluster-wide.)CVE-2025-15566
  2. A security issue was discovered in ingress-nginx where the protection afforded by the `auth-url` Ingress annotation may not be effective in the presence of a specific misconfiguration. If the ingress-nginx controller is configured with a default custom-errors configuration that includes HTTP errors 401 or 403, and if the configured default custom-errors backend is defective and fails to respect the X-Code HTTP header, then an Ingress with the `auth-url` annotation may be accessed even when authentication fails. Note that the built-in custom-errors backend works correctly. To trigger this issue requires an administrator to specifically configure ingress-nginx with a broken external component.CVE-2026-24513
  3. A security issue was discovered in ingress-nginx where the validating admission controller feature is subject to a denial of service condition. By sending large requests to the validating admission controller, an attacker can cause memory consumption, which may result in the ingress-nginx controller pod being killed or the node running out of memory.CVE-2026-24514
  4. A security issue was discovered in ingress-nginx where the `nginx.ingress.kubernetes.io/auth-method` Ingress annotation can be used to inject configuration into nginx. This can lead to arbitrary code execution in the context of the ingress-nginx controller, and disclosure of Secrets accessible to the controller. (Note that in the default installation, the controller can access all Secrets cluster-wide.)CVE-2026-1580
  5. A security issue was discovered in ingress-nginx cthe `rules.http.paths.path` Ingress field can be used to inject configuration into nginx. This can lead to arbitrary code execution in the context of the ingress-nginx controller, and disclosure of Secrets accessible to the controller. (Note that in the default installation, the controller can access all Secrets cluster-wide.)CVE-2026-24512

References

Sources include official advisories and independent security research.