CVE-2025-39702
HIGHCVSS Vector
CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
3Description
In the Linux kernel, the following vulnerability has been resolved: ipv6: sr: Fix MAC comparison to be constant-time To prevent timing attacks, MACs need to be compared in constant time. Use the appropriate helper function for this.
Analysis
A timing attack vulnerability exists in the Linux kernel's IPv6 Segment Routing (SR) implementation where MAC (Message Authentication Code) comparisons are performed using non-constant-time operations. This timing side-channel weakness (CWE-203) affects multiple Linux kernel versions and could allow a local attacker with low privileges to potentially extract cryptographic secrets by measuring subtle timing differences during MAC validation. With an EPSS score of 0.02% (4th percentile), exploitation likelihood is very low, and patches are available from the vendor.
Technical Context
The vulnerability resides in the Linux kernel's IPv6 Segment Routing (SR) module, specifically in MAC comparison logic. The affected code uses timing-variable string comparison instead of constant-time comparison functions when validating Message Authentication Codes. This creates a side-channel vulnerability (CWE-203: Observable Discrepancy) where an attacker can measure execution time differences to infer information about secret values byte-by-byte. The CPE data indicates affected products include the Linux kernel mainline (cpe:2.3:o:linux:linux_kernel) across multiple version ranges and release candidates (6.17 RC1, RC2), as well as Debian Linux 11.0. IPv6 Segment Routing is an extension that allows defining explicit packet paths through IPv6 networks, and the HMAC verification is critical for authenticating segment routing headers.
Affected Products
The Linux kernel is affected across multiple stable and release candidate versions. Based on CPE data (cpe:2.3:o:linux:linux_kernel), the vulnerability impacts various kernel version ranges including release candidates 6.17 RC1 and RC2. Debian Linux 11.0 (cpe:2.3:o:debian:debian_linux:11.0) is also confirmed affected. Specific version ranges can be determined from the patch commits referencing stable kernel trees. Organizations running Linux systems with IPv6 Segment Routing enabled should verify their kernel versions against the patched versions. The Debian LTS announcement is available at https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html, and kernel.org patch references provide detailed version information.
Remediation
Apply the appropriate kernel patch from the official Linux kernel stable tree based on your kernel version. Patches are available at https://git.kernel.org/stable/c/3b348c9c8d2ca2c67559ffd0e258ae7e1107d4f0, https://git.kernel.org/stable/c/3ddd55cf19ed6cc62def5e3af10c2a9df1b861c3, https://git.kernel.org/stable/c/86b6d34717fe0570afce07ee79b8eeb40341f831, https://git.kernel.org/stable/c/a458b2902115b26a25d67393b12ddd57d1216aaa, https://git.kernel.org/stable/c/b3967c493799e63f648e9c7b6cb063aa2aed04e7, https://git.kernel.org/stable/c/f7878d47560d61e3f370aca3cebb8f42a55b990a, and https://git.kernel.org/stable/c/ff55a452d56490047f5233cc48c5d933f8586884. Debian users should follow the guidance in the Debian LTS announcement at https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html and update to patched kernel versions through their package manager. As a temporary mitigation if immediate patching is not possible, consider disabling IPv6 Segment Routing functionality if it is not required for operations, or restrict local access to systems where this feature is critical.
Priority Score
Vendor Status
Share
External POC / Exploit Code
Leaving vuln.today