Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

CVE-2025-38165

Severity CVSS v4.0:
Pending analysis
Type:
Unavailable / Other
Publication date:
03/07/2025
Last modified:
18/12/2025

Description

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> bpf, sockmap: Fix panic when calling skb_linearize<br /> <br /> The panic can be reproduced by executing the command:<br /> ./bench sockmap -c 2 -p 1 -a --rx-verdict-ingress --rx-strp 100000<br /> <br /> Then a kernel panic was captured:<br /> &amp;#39;&amp;#39;&amp;#39;<br /> [ 657.460555] kernel BUG at net/core/skbuff.c:2178!<br /> [ 657.462680] Tainted: [W]=WARN<br /> [ 657.463287] Workqueue: events sk_psock_backlog<br /> ...<br /> [ 657.469610] <br /> [ 657.469738] ? die+0x36/0x90<br /> [ 657.469916] ? do_trap+0x1d0/0x270<br /> [ 657.470118] ? pskb_expand_head+0x612/0xf40<br /> [ 657.470376] ? pskb_expand_head+0x612/0xf40<br /> [ 657.470620] ? do_error_trap+0xa3/0x170<br /> [ 657.470846] ? pskb_expand_head+0x612/0xf40<br /> [ 657.471092] ? handle_invalid_op+0x2c/0x40<br /> [ 657.471335] ? pskb_expand_head+0x612/0xf40<br /> [ 657.471579] ? exc_invalid_op+0x2d/0x40<br /> [ 657.471805] ? asm_exc_invalid_op+0x1a/0x20<br /> [ 657.472052] ? pskb_expand_head+0xd1/0xf40<br /> [ 657.472292] ? pskb_expand_head+0x612/0xf40<br /> [ 657.472540] ? lock_acquire+0x18f/0x4e0<br /> [ 657.472766] ? find_held_lock+0x2d/0x110<br /> [ 657.472999] ? __pfx_pskb_expand_head+0x10/0x10<br /> [ 657.473263] ? __kmalloc_cache_noprof+0x5b/0x470<br /> [ 657.473537] ? __pfx___lock_release.isra.0+0x10/0x10<br /> [ 657.473826] __pskb_pull_tail+0xfd/0x1d20<br /> [ 657.474062] ? __kasan_slab_alloc+0x4e/0x90<br /> [ 657.474707] sk_psock_skb_ingress_enqueue+0x3bf/0x510<br /> [ 657.475392] ? __kasan_kmalloc+0xaa/0xb0<br /> [ 657.476010] sk_psock_backlog+0x5cf/0xd70<br /> [ 657.476637] process_one_work+0x858/0x1a20<br /> &amp;#39;&amp;#39;&amp;#39;<br /> <br /> The panic originates from the assertion BUG_ON(skb_shared(skb)) in<br /> skb_linearize(). A previous commit(see Fixes tag) introduced skb_get()<br /> to avoid race conditions between skb operations in the backlog and skb<br /> release in the recvmsg path. However, this caused the panic to always<br /> occur when skb_linearize is executed.<br /> <br /> The "--rx-strp 100000" parameter forces the RX path to use the strparser<br /> module which aggregates data until it reaches 100KB before calling sockmap<br /> logic. The 100KB payload exceeds MAX_MSG_FRAGS, triggering skb_linearize.<br /> <br /> To fix this issue, just move skb_get into sk_psock_skb_ingress_enqueue.<br /> <br /> &amp;#39;&amp;#39;&amp;#39;<br /> sk_psock_backlog:<br /> sk_psock_handle_skb<br /> skb_get(skb)

Impact

Vector 3.x
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVSS v3.1 Severity and Metrics:

Base Score: 5.50 MEDIUM
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Attack Vector (AV): Local
Attack Complexity (AC): Low
Privileges Required (PR): Low
User Interaction (UI): None
Scope (S): Unchanged
Confidentiality (C): None
Integrity (I): None
Availability (A): High

Base Score 3.x
5.50
Severity 3.x
MEDIUM

Vulnerable products and versions

CPE From Up to
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 6.1.54 (including) 6.1.142 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 6.5.4 (including) 6.6.94 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 6.7 (including) 6.12.34 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 6.13 (including) 6.15.3 (excluding)
cpe:2.3:o:linux:linux_kernel:5.15.189:*:*:*:*:*:*:*
cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*

To consult the complete list of CPE names with products and versions, see this page


References to Advisories, Solutions, and Tools