Skip to main content

Linux Kernel CVE-2025-39964

LOW
2025-10-13 416baaa9-dc9f-4396-8d5f-8c081fb06d67
3.3
CVSS 3.1 · NVD

Severity by source

NVD PRIMARY
3.3 LOW
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L
vuln.today AI
3.6 LOW

Race condition requires concurrent writes (AC:H); local low-privilege socket access required (PR:L); data interleaving introduces integrity impact (I:L) beyond availability alone.

3.1 AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:L
4.0 AV:L/AC:H/AT:P/PR:L/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
Low

Lifecycle Timeline

2
Analysis Generated
Jul 14, 2026 - 13:31 vuln.today
CVE Published
Oct 13, 2025 - 14:15 nvd
LOW 3.3

DescriptionNVD

In the Linux kernel, the following vulnerability has been resolved:

crypto: af_alg - Disallow concurrent writes in af_alg_sendmsg

Issuing two writes to the same af_alg socket is bogus as the data will be interleaved in an unpredictable fashion. Furthermore, concurrent writes may create inconsistencies in the internal socket state.

Disallow this by adding a new ctx->write field that indiciates exclusive ownership for writing.

AnalysisAI

Concurrent write access to AF_ALG cryptographic sockets in the Linux kernel corrupts internal socket state and interleaves cryptographic data in an unpredictable manner, undermining the integrity and availability of kernel crypto operations for local users. The flaw spans multiple stable kernel branches up to and including 6.17-rc4, with six upstream patch commits available. No public exploit or active exploitation has been identified; the Siemens SSA-019113 advisory confirms downstream impact on industrial and embedded Linux-based products.

Technical ContextAI

AF_ALG (AF_ALG socket family) is the Linux kernel's user-space interface to the in-kernel cryptographic API, exposed via SOCK_SEQPACKET sockets. Applications invoke cryptographic algorithms by writing plaintext or AAD to the socket via sendmsg() and reading ciphertext back. The root cause is the absence of a mutual exclusion primitive in af_alg_sendmsg(): two threads or processes sharing the same socket descriptor could issue concurrent write calls, causing their data to be interleaved within the kernel buffer and leaving the internal ctx (socket context) in an inconsistent state. The fix introduces a ctx->write flag that enforces exclusive ownership of the write path, effectively serializing sendmsg() calls. CWE is not formally assigned, but this is a textbook CWE-362 (Concurrent Execution Using Shared Resource with Improper Synchronization / Race Condition). CPE confirms the affected product is the Linux kernel across a broad version range up to 6.17-rc4.

RemediationAI

Apply the upstream stable kernel patches for the relevant branch; seven commits are available at git.kernel.org/stable (see references 0f28c4ad, 1b34cbbf, 1f323a48, 45bcf60f, 7c4491b5, 9aee87da, e4c1ec11). An exact fixed release version is not independently confirmed from the available data - operators should consult their distribution's security advisories (e.g., Ubuntu USN, RHEL RHSA, SUSE SUSE-SU) for backported fixes. Siemens operators should follow SSA-019113 for vendor-specific guidance. As a compensating control where patching is not immediately feasible, restricting access to AF_ALG sockets via seccomp, SELinux, or AppArmor policies (blocking the socket(AF_ALG, ...) syscall for untrusted processes) eliminates the attack surface entirely, with the trade-off of disabling kernel-accelerated cryptography for those processes. This is low-risk in environments where userspace crypto libraries (OpenSSL, libgcrypt) serve as fallback.

Share

CVE-2025-39964 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy