CVE-2025-38718

HIGH
2025-09-04 416baaa9-dc9f-4396-8d5f-8c081fb06d67
7.8
CVSS 3.1
Share

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

3
Analysis Generated
Mar 17, 2026 - 20:45 vuln.today
Patch Released
Mar 17, 2026 - 20:45 nvd
Patch available
CVE Published
Sep 04, 2025 - 16:15 nvd
HIGH 7.8

Tags

Linux Denial Of Service Use After Free Memory Corruption Linux Kernel Debian Linux Redhat Suse

Description

In the Linux kernel, the following vulnerability has been resolved: sctp: linearize cloned gso packets in sctp_rcv A cloned head skb still shares these frag skbs in fraglist with the original head skb. It's not safe to access these frag skbs. syzbot reported two use-of-uninitialized-memory bugs caused by this: BUG: KMSAN: uninit-value in sctp_inq_pop+0x15b7/0x1920 net/sctp/inqueue.c:211 sctp_inq_pop+0x15b7/0x1920 net/sctp/inqueue.c:211 sctp_assoc_bh_rcv+0x1a7/0xc50 net/sctp/associola.c:998 sctp_inq_push+0x2ef/0x380 net/sctp/inqueue.c:88 sctp_backlog_rcv+0x397/0xdb0 net/sctp/input.c:331 sk_backlog_rcv+0x13b/0x420 include/net/sock.h:1122 __release_sock+0x1da/0x330 net/core/sock.c:3106 release_sock+0x6b/0x250 net/core/sock.c:3660 sctp_wait_for_connect+0x487/0x820 net/sctp/socket.c:9360 sctp_sendmsg_to_asoc+0x1ec1/0x1f00 net/sctp/socket.c:1885 sctp_sendmsg+0x32b9/0x4a80 net/sctp/socket.c:2031 inet_sendmsg+0x25a/0x280 net/ipv4/af_inet.c:851 sock_sendmsg_nosec net/socket.c:718 [inline] and BUG: KMSAN: uninit-value in sctp_assoc_bh_rcv+0x34e/0xbc0 net/sctp/associola.c:987 sctp_assoc_bh_rcv+0x34e/0xbc0 net/sctp/associola.c:987 sctp_inq_push+0x2a3/0x350 net/sctp/inqueue.c:88 sctp_backlog_rcv+0x3c7/0xda0 net/sctp/input.c:331 sk_backlog_rcv+0x142/0x420 include/net/sock.h:1148 __release_sock+0x1d3/0x330 net/core/sock.c:3213 release_sock+0x6b/0x270 net/core/sock.c:3767 sctp_wait_for_connect+0x458/0x820 net/sctp/socket.c:9367 sctp_sendmsg_to_asoc+0x223a/0x2260 net/sctp/socket.c:1886 sctp_sendmsg+0x3910/0x49f0 net/sctp/socket.c:2032 inet_sendmsg+0x269/0x2a0 net/ipv4/af_inet.c:851 sock_sendmsg_nosec net/socket.c:712 [inline] This patch fixes it by linearizing cloned gso packets in sctp_rcv().

Analysis

A memory safety vulnerability in the Linux kernel's SCTP (Stream Control Transmission Protocol) implementation allows local attackers to read uninitialized memory contents, potentially exposing sensitive kernel data. The issue affects Linux kernel versions from 2.6.12 through 6.12.8 and occurs when the SCTP subsystem improperly handles cloned GSO (Generic Segmentation Offload) packets, leading to use-after-free conditions in memory. While requiring local access and low privileges to exploit, the vulnerability has a high CVSS score of 7.8 and could lead to information disclosure or system compromise.

Technical Context

The vulnerability (CWE-908: Use of Uninitialized Resource) resides in the SCTP protocol implementation within the Linux kernel's networking stack, specifically in the sctp_rcv() function's handling of cloned GSO packets. When a head socket buffer (skb) is cloned, it continues to share fragment socket buffers in its fraglist with the original head skb, creating unsafe memory access conditions. The affected CPE entries indicate this impacts Linux kernel versions across multiple distributions including Debian Linux 11.0 and kernel versions ranging from 2.6.12 through 6.12.8. SCTP is a transport layer protocol used for reliable, message-oriented communication, commonly deployed in telecommunications and high-availability systems.

Affected Products

The vulnerability affects Linux kernel versions from 2.6.12 up to but not including 6.1.126, 6.6.70, 6.8.11, 6.9.2, 6.11.11, 6.12.8, and 6.13-rc1 based on the CPE entries cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* with various version ranges. Debian Linux 11.0 is specifically impacted as indicated by cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*. The vulnerability has been addressed through patches available at git.kernel.org with multiple stable branch fixes referenced in the security advisory. Debian has issued security updates as documented in their LTS announcement at https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html.

Remediation

Update the Linux kernel to patched versions: 6.1.126 or later for the 6.1.x branch, 6.6.70 or later for 6.6.x, 6.8.11 or later for 6.8.x, 6.9.2 or later for 6.9.x, 6.11.11 or later for 6.11.x, or 6.12.8 or later for 6.12.x branch. Patches are available through the official kernel repositories at git.kernel.org with specific commits for each stable branch. For Debian users, apply the security updates referenced in https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html. As a temporary mitigation, consider disabling SCTP if not required for your environment using kernel module blacklisting, though this may impact applications requiring SCTP functionality.

Priority Score

39
Low Medium High Critical
KEV: 0
EPSS: +0.0
CVSS: +39
POC: 0

Vendor Status

Share

CVE-2025-38718 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy