What is the CVSS score of CVE-2025-39946?

CVE-2025-39946 has a CVSS 3.1 base score of 9.8 (Critical). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. EPSS exploitation probability: 0.0%.

Which versions of Linux are affected by CVE-2025-39946?

CVE-2025-39946 presents moderate security risk rated CVSS 5.5. Exploitation could compromise the security of affected deployments. Proof-of-concept code is publicly available.. A patch is available.

Is there a public PoC exploit available for CVE-2025-39946?

Yes, a public proof-of-concept exploit is available for CVE-2025-39946. Prioritise patching immediately. EPSS: 0.0%.

How to fix or mitigate CVE-2025-39946?

Within 30 days: Identify affected systems and apply vendor patches as part of regular patch cycle. Vendor patch is available.

Linux CVE-2025-39946

EUVD-2025-32393 CRITICAL

2025-10-04 416baaa9-dc9f-4396-8d5f-8c081fb06d67

Buffer Overflow Linux

9.8

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

PoC Detected

Apr 06, 2026 - 13:30 vuln.today

Public exploit code

Patch released

Apr 06, 2026 - 13:30 nvd

Patch available

EUVD ID Assigned

Mar 13, 2026 - 19:56 euvd

EUVD-2025-32393

Analysis Generated

Mar 13, 2026 - 19:56 vuln.today

CVE Published

Oct 04, 2025 - 08:15 nvd

CRITICAL 9.8

DescriptionNVD

In the Linux kernel, the following vulnerability has been resolved:

tls: make sure to abort the stream if headers are bogus

Normally we wait for the socket to buffer up the whole record before we service it. If the socket has a tiny buffer, however, we read out the data sooner, to prevent connection stalls. Make sure that we abort the connection when we find out late that the record is actually invalid. Retrying the parsing is fine in itself but since we copy some more data each time before we parse we can overflow the allocated skb space.

Constructing a scenario in which we're under pressure without enough data in the socket to parse the length upfront is quite hard. syzbot figured out a way to do this by serving us the header in small OOB sends, and then filling in the recvbuf with a large normal send.

Make sure that tls_rx_msg_size() aborts strp, if we reach an invalid record there's really no way to recover.

AnalysisAI

CVE-2025-39946 is a security vulnerability (CVSS 5.5). Risk factors: public PoC available. Vendor patch is available.

Technical ContextAI

Vulnerability type not specified by vendor.

RemediationAI

Apply the vendor-supplied patch immediately.

More from same product – last 7 days

CVE-2026-47334 MEDIUM This Month

5.5 May 28

Kernel availability loss in Ubuntu Linux 6.8, 6.17, and 7.0 can be triggered by any unprivileged local user via a defect

CVE-2026-47335 MEDIUM This Month

5.5 May 28

Kernel panic via NULL pointer dereference in Ubuntu Linux 6.8's AppArmor notification handler allows a locally authentic

CVE-2026-47327 LOW Monitor

3.3 May 28

NULL pointer dereference in Ubuntu Linux kernel versions 6.8, 6.17, and 7.0 allows a local unprivileged user to crash th

CVE-2026-47337 LOW Monitor

3.3 May 28

NULL pointer dereference in Ubuntu Linux kernel SAUCE patches (versions 6.8, 6.17, and 7.0) allows an unprivileged local

CVE-2026-45844 Monitor

May 27

In the Linux kernel, the following vulnerability has been resolved: netfilter: arp_tables: fix IEEE1394 ARP payload par

Vendor StatusVendor

CVE-2025-39946 vulnerability details – vuln.today

Back

Linux CVE-2025-39946

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

Technical ContextAI

RemediationAI

More from same product – last 7 days

Vendor StatusVendor

Share

External POC / Exploit Code