CVE-2025-38718

HIGH EPSS 4.7%
Published Sep 4, 20259mo ago · Modified Jun 17, 20261w ago
7.8 CVSS 3.1
High
Find Similar
Published Sep 4, 2025 9mo ago
Last Modified Jun 17, 2026 1w ago

Description

In the Linux kernel, the following vulnerability has been resolved: sctp: linearize cloned gso packets in sctp_rcv A cloned head skb still shares these frag skbs in fraglist with the original head skb. It's not safe to access these frag skbs. syzbot reported two use-of-uninitialized-memory bugs caused by this: BUG: KMSAN: uninit-value in sctp_inq_pop+0x15b7/0x1920 net/sctp/inqueue.c:211 sctp_inq_pop+0x15b7/0x1920 net/sctp/inqueue.c:211 sctp_assoc_bh_rcv+0x1a7/0xc50 net/sctp/associola.c:998 sctp_inq_push+0x2ef/0x380 net/sctp/inqueue.c:88 sctp_backlog_rcv+0x397/0xdb0 net/sctp/input.c:331 sk_backlog_rcv+0x13b/0x420 include/net/sock.h:1122 __release_sock+0x1da/0x330 net/core/sock.c:3106 release_sock+0x6b/0x250 net/core/sock.c:3660 sctp_wait_for_connect+0x487/0x820 net/sctp/socket.c:9360 sctp_sendmsg_to_asoc+0x1ec1/0x1f00 net/sctp/socket.c:1885 sctp_sendmsg+0x32b9/0x4a80 net/sctp/socket.c:2031 inet_sendmsg+0x25a/0x280 net/ipv4/af_inet.c:851 sock_sendmsg_nosec net/socket.c:718 [inline] and BUG: KMSAN: uninit-value in sctp_assoc_bh_rcv+0x34e/0xbc0 net/sctp/associola.c:987 sctp_assoc_bh_rcv+0x34e/0xbc0 net/sctp/associola.c:987 sctp_inq_push+0x2a3/0x350 net/sctp/inqueue.c:88 sctp_backlog_rcv+0x3c7/0xda0 net/sctp/input.c:331 sk_backlog_rcv+0x142/0x420 include/net/sock.h:1148 __release_sock+0x1d3/0x330 net/core/sock.c:3213 release_sock+0x6b/0x270 net/core/sock.c:3767 sctp_wait_for_connect+0x458/0x820 net/sctp/socket.c:9367 sctp_sendmsg_to_asoc+0x223a/0x2260 net/sctp/socket.c:1886 sctp_sendmsg+0x3910/0x49f0 net/sctp/socket.c:2032 inet_sendmsg+0x269/0x2a0 net/ipv4/af_inet.c:851 sock_sendmsg_nosec net/socket.c:712 [inline] This patch fixes it by linearizing cloned gso packets in sctp_rcv().

CVSS Details

Base Score
7.8
Exploitability
1.8
Impact
5.9
Vector string
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector Local
Attack Complexity Low
Privileges Required Low
User Interaction None
Scope Unchanged
Confidentiality High
Integrity High
Availability High

Threat Intelligence

EPSS Exploit Probability
4.7% percentile
Exploit & Patch Status
No Known Exploit
Patch Available

Weaknesses 1

CWE-908

Affected Products 9

VendorProductVersionRange
linuxlinux_kernel*≥4.8  –  <5.4.297
linuxlinux_kernel*≥5.5  –  <5.10.241
linuxlinux_kernel*≥5.11  –  <5.15.190
linuxlinux_kernel*≥5.16  –  <6.6.103
linuxlinux_kernel*≥6.7  –  <6.12.43
linuxlinux_kernel*≥6.13  –  <6.15.11
linuxlinux_kernel*≥6.16  –  <6.16.2
linuxlinux_kernel6.17any
debiandebian_linux11.0any

References 10

  • git.kernel.org https://git.kernel.org/stable/c/03d0cc6889e02420125510b5444b570f4bbf53d5
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/1bd5214ea681584c5886fea3ba03e49f93a43c0e
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/4506bcaabe004d07be8ff09116a3024fbd6aa965
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/7d757f17bc2ef2727994ffa6d5d6e4bc4789a770
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/cd0e92bb2b7542fb96397ffac639b4f5b099d0cb
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/d0194e391bb493aa6cec56d177b14df6b29188d5
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/ea094f38d387d1b0ded5dee4a3e5720aa4ce0139
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/fc66772607101bd2030a4332b3bd0ea3b3605250
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/fd60d8a086191fe33c2d719732d2482052fa6805
    Patch
  • lists.debian.org https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html
    Mailing ListThird Party Advisory

Remediation

  • git.kernel.org https://git.kernel.org/stable/c/03d0cc6889e02420125510b5444b570f4bbf53d5
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/1bd5214ea681584c5886fea3ba03e49f93a43c0e
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/4506bcaabe004d07be8ff09116a3024fbd6aa965
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/7d757f17bc2ef2727994ffa6d5d6e4bc4789a770
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/cd0e92bb2b7542fb96397ffac639b4f5b099d0cb
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/d0194e391bb493aa6cec56d177b14df6b29188d5
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/ea094f38d387d1b0ded5dee4a3e5720aa4ce0139
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/fc66772607101bd2030a4332b3bd0ea3b3605250
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/fd60d8a086191fe33c2d719732d2482052fa6805
    Patch