IM
IronMonkey Threat Research

CVE-2025-38465 MEDIUM

Published: 2025-07-25 | Last Modified: 2026-05-12 | Status: Modified

Description

In the Linux kernel, the following vulnerability has been resolved: netlink: Fix wraparounds of sk->sk_rmem_alloc. Netlink has this pattern in some places if (atomic_read(&sk->sk_rmem_alloc) > sk->sk_rcvbuf) atomic_add(skb->truesize, &sk->sk_rmem_alloc); , which has the same problem fixed by commit 5a465a0da13e ("udp: Fix multiple wraparounds of sk->sk_rmem_alloc."). For example, if we set INT_MAX to SO_RCVBUFFORCE, the condition is always false as the two operands are of int. Then, a single socket can eat as many skb as possible until OOM happens, and we can see multiple wraparounds of sk->sk_rmem_alloc. Let's fix it by using atomic_add_return() and comparing the two variables as unsigned int. Before: [root@fedora ~]# ss -f netlink Recv-Q Send-Q Local Address:Port Peer Address:Port -1668710080 0 rtnl:nl_wraparound/293 * After: [root@fedora ~]# ss -f netlink Recv-Q Send-Q Local Address:Port Peer Address:Port 2147483072 0 rtnl:nl_wraparound/290 * ^ `--- INT_MAX - 576

Additional Descriptions (1)

En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: netlink: Se corrigen los wraparounds de sk->sk_rmem_alloc. Netlink presenta este patrón en algunos lugares if (atomic_read(&sk->sk_rmem_alloc) > sk->sk_rcvbuf) atomic_add(skb->truesize, &sk->sk_rmem_alloc); , que presenta el mismo problema corregido por el commit 5a465a0da13e ("udp: Se corrigen múltiples wraparounds de sk->sk_rmem_alloc."). Por ejemplo, si establecemos INT_MAX en SO_RCVBUFFORCE, la condición siempre es falsa, ya que los dos operandos son de tipo int. En ese caso, un solo socket puede consumir tantos skb como sea posible hasta que se produzca un OOM, y podemos observar múltiples wraparounds de sk->sk_rmem_alloc. Para solucionarlo, usemos atomic_add_return() y comparemos las dos variables como enteros sin signo. Antes: [root@fedora ~]# ss -f netlink Recv-Q Send-Q Dirección local: Puerto Dirección del par: Puerto -1668710080 0 rtnl:nl_wraparound/293 * Después: [root@fedora ~]# ss -f netlink Recv-Q Send-Q Dirección local: Puerto Dirección del par: Puerto 2147483072 0 rtnl:nl_wraparound/290 * ^ `--- INT_MAX - 576

CVSS Metrics

Base Score: 5.5 (MEDIUM)

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Attack VectorLOCAL
Attack ComplexityLOW
Privileges RequiredLOW
User InteractionNONE
ScopeUNCHANGED
Confidentiality ImpactNONE
Integrity ImpactNONE
Availability ImpactHIGH

Source: [email protected]

Type: Primary

Exploitability Score: 1.8

Impact Score: 3.6

Weaknesses

Source Type Description
[email protected] Primary
en CWE-401

Affected Products

Vendor Product Version Update Type
linux linux_kernel * <built-in method update of dict object at 0x702b80ad86c0> Operating System
linux linux_kernel * <built-in method update of dict object at 0x702bde535580> Operating System
linux linux_kernel * <built-in method update of dict object at 0x702b80adab80> Operating System
linux linux_kernel * <built-in method update of dict object at 0x702bde164900> Operating System
linux linux_kernel * <built-in method update of dict object at 0x702b83f2cdc0> Operating System
linux linux_kernel * <built-in method update of dict object at 0x702b83f2e400> Operating System
linux linux_kernel * <built-in method update of dict object at 0x702bde537740> Operating System
linux linux_kernel 2.6.12 <built-in method update of dict object at 0x702b80ada840> Operating System
linux linux_kernel 2.6.12 <built-in method update of dict object at 0x702b83f2c9c0> Operating System
linux linux_kernel 2.6.12 <built-in method update of dict object at 0x702b83f2c540> Operating System
linux linux_kernel 2.6.12 <built-in method update of dict object at 0x702b80ad9100> Operating System
linux linux_kernel 2.6.12 <built-in method update of dict object at 0x702bde167a80> Operating System
linux linux_kernel 6.16 <built-in method update of dict object at 0x702bdd5d7ec0> Operating System
linux linux_kernel 6.16 <built-in method update of dict object at 0x702bdd5677c0> Operating System
linux linux_kernel 6.16 <built-in method update of dict object at 0x702bde534500> Operating System
linux linux_kernel 6.16 <built-in method update of dict object at 0x702b83f2cbc0> Operating System
linux linux_kernel 6.16 <built-in method update of dict object at 0x702b80adb7c0> Operating System
debian debian_linux 11.0 <built-in method update of dict object at 0x702bdc9f4900> Operating System

Affected Configurations

Operator: OR

Vulnerable CPE
Yes cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Yes cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Yes cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Yes cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Yes cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Yes cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Yes cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Yes cpe:2.3:o:linux:linux_kernel:2.6.12:-:*:*:*:*:*:*
Yes cpe:2.3:o:linux:linux_kernel:2.6.12:rc2:*:*:*:*:*:*
Yes cpe:2.3:o:linux:linux_kernel:2.6.12:rc3:*:*:*:*:*:*
Yes cpe:2.3:o:linux:linux_kernel:2.6.12:rc4:*:*:*:*:*:*
Yes cpe:2.3:o:linux:linux_kernel:2.6.12:rc5:*:*:*:*:*:*
Yes cpe:2.3:o:linux:linux_kernel:6.16:rc1:*:*:*:*:*:*
Yes cpe:2.3:o:linux:linux_kernel:6.16:rc2:*:*:*:*:*:*
Yes cpe:2.3:o:linux:linux_kernel:6.16:rc3:*:*:*:*:*:*
Yes cpe:2.3:o:linux:linux_kernel:6.16:rc4:*:*:*:*:*:*
Yes cpe:2.3:o:linux:linux_kernel:6.16:rc5:*:*:*:*:*:*

Operator: OR

Vulnerable CPE
Yes cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*

References

Notification
Message here