CVE-2025-38718
Vulnerability Summary
Timeline
Description
In the Linux kernel, the following vulnerability has been resolved: sctp: linearize cloned gso packets in sctp_rcv A cloned head skb still shares these frag skbs in fraglist with the original head skb. It's not safe to access these frag skbs. syzbot reported two use-of-uninitialized-memory bugs caused by this: BUG: KMSAN: uninit-value in sctp_inq_pop+0x15b7/0x1920 net/sctp/inqueue.c:211 sctp_inq_pop+0x15b7/0x1920 net/sctp/inqueue.c:211 sctp_assoc_bh_rcv+0x1a7/0xc50 net/sctp/associola.c:998 sctp_inq_push+0x2ef/0x380 net/sctp/inqueue.c:88 sctp_backlog_rcv+0x397/0xdb0 net/sctp/input.c:331 sk_backlog_rcv+0x13b/0x420 include/net/sock.h:1122 __release_sock+0x1da/0x330 net/core/sock.c:3106 release_sock+0x6b/0x250 net/core/sock.c:3660 sctp_wait_for_connect+0x487/0x820 net/sctp/socket.c:9360 sctp_sendmsg_to_asoc+0x1ec1/0x1f00 net/sctp/socket.c:1885 sctp_sendmsg+0x32b9/0x4a80 net/sctp/socket.c:2031 inet_sendmsg+0x25a/0x280 net/ipv4/af_inet.c:851 sock_sendmsg_nosec net/socket.c:718 [inline] and BUG: KMSAN: uninit-value in sctp_assoc_bh_rcv+0x34e/0xbc0 net/sctp/associola.c:987 sctp_assoc_bh_rcv+0x34e/0xbc0 net/sctp/associola.c:987 sctp_inq_push+0x2a3/0x350 net/sctp/inqueue.c:88 sctp_backlog_rcv+0x3c7/0xda0 net/sctp/input.c:331 sk_backlog_rcv+0x142/0x420 include/net/sock.h:1148 __release_sock+0x1d3/0x330 net/core/sock.c:3213 release_sock+0x6b/0x270 net/core/sock.c:3767 sctp_wait_for_connect+0x458/0x820 net/sctp/socket.c:9367 sctp_sendmsg_to_asoc+0x223a/0x2260 net/sctp/socket.c:1886 sctp_sendmsg+0x3910/0x49f0 net/sctp/socket.c:2032 inet_sendmsg+0x269/0x2a0 net/ipv4/af_inet.c:851 sock_sendmsg_nosec net/socket.c:712 [inline] This patch fixes it by linearizing cloned gso packets in sctp_rcv().
CVSS Metrics
- v3.1•HIGH•Score: 7.8CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Trends
Current EPSS score: 0.04%• Percentile: 11%
Techniques & Countermeasures
- CWE-908•Use of Uninitialized Resource
The product uses or accesses a resource that has not been initialized.
Affected Systems
- debian•debian_linux
11.0
- linux•linux
≥ 90017accff61ae89283ad9a51f9ac46ca01633fb, < d0194e391bb493aa6cec56d177b14df6b29188d5 | ≥ 90017accff61ae89283ad9a51f9ac46ca01633fb, < 03d0cc6889e02420125510b5444b570f4bbf53d5 | ≥ 90017accff61ae89283ad9a51f9ac46ca01633fb, < cd0e92bb2b7542fb96397ffac639b4f5b099d0cb | ≥ 90017accff61ae89283ad9a51f9ac46ca01633fb, < 4506bcaabe004d07be8ff09116a3024fbd6aa965 | ≥ 90017accff61ae89283ad9a51f9ac46ca01633fb, < ea094f38d387d1b0ded5dee4a3e5720aa4ce0139 | ≥ 90017accff61ae89283ad9a51f9ac46ca01633fb, < 7d757f17bc2ef2727994ffa6d5d6e4bc4789a770 | ≥ 90017accff61ae89283ad9a51f9ac46ca01633fb, < fc66772607101bd2030a4332b3bd0ea3b3605250 | ≥ 90017accff61ae89283ad9a51f9ac46ca01633fb, < 1bd5214ea681584c5886fea3ba03e49f93a43c0e | ≥ 90017accff61ae89283ad9a51f9ac46ca01633fb, < fd60d8a086191fe33c2d719732d2482052fa6805 | 4.8
- linux•linux_kernel
≥ 4.8, < 5.4.297 | ≥ 5.5, < 5.10.241 | ≥ 5.11, < 5.15.190 | ≥ 5.16, < 6.6.103 | ≥ 6.7, < 6.12.43 | ≥ 6.13, < 6.15.11 | ≥ 6.16, < 6.16.2 | 6.17:rc1
References (10)
- https://git.kernel.org/stable/c/d0194e391bb493aa6cec56d177b14df6b29188d5
- https://git.kernel.org/stable/c/03d0cc6889e02420125510b5444b570f4bbf53d5
- https://git.kernel.org/stable/c/cd0e92bb2b7542fb96397ffac639b4f5b099d0cb
- https://git.kernel.org/stable/c/ea094f38d387d1b0ded5dee4a3e5720aa4ce0139
- https://git.kernel.org/stable/c/7d757f17bc2ef2727994ffa6d5d6e4bc4789a770
- https://git.kernel.org/stable/c/fc66772607101bd2030a4332b3bd0ea3b3605250
- https://git.kernel.org/stable/c/1bd5214ea681584c5886fea3ba03e49f93a43c0e
- https://git.kernel.org/stable/c/fd60d8a086191fe33c2d719732d2482052fa6805
- https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html
- https://git.kernel.org/stable/c/4506bcaabe004d07be8ff09116a3024fbd6aa965