CVE-2025-38112 (GCVE-0-2025-38112)
Vulnerability from cvelistv5
Published
2025-07-03 08:35
Modified
2025-07-28 04:12
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
net: Fix TOCTOU issue in sk_is_readable()
sk->sk_prot->sock_is_readable is a valid function pointer when sk resides
in a sockmap. After the last sk_psock_put() (which usually happens when
socket is removed from sockmap), sk->sk_prot gets restored and
sk->sk_prot->sock_is_readable becomes NULL.
This makes sk_is_readable() racy, if the value of sk->sk_prot is reloaded
after the initial check. Which in turn may lead to a null pointer
dereference.
Ensure the function pointer does not turn NULL after the check.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| ► | Linux | Linux |
Version: 8934ce2fd08171e8605f7fada91ee7619fe17ab8 Version: 8934ce2fd08171e8605f7fada91ee7619fe17ab8 Version: 8934ce2fd08171e8605f7fada91ee7619fe17ab8 Version: 8934ce2fd08171e8605f7fada91ee7619fe17ab8 Version: 8934ce2fd08171e8605f7fada91ee7619fe17ab8 Version: 8934ce2fd08171e8605f7fada91ee7619fe17ab8 Version: 8934ce2fd08171e8605f7fada91ee7619fe17ab8 |
|
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"include/net/sock.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "c2b26638476baee154920bb587fc94ff1bf04336",
"status": "affected",
"version": "8934ce2fd08171e8605f7fada91ee7619fe17ab8",
"versionType": "git"
},
{
"lessThan": "6fa68d7eab34d448a61aa24ea31e68b3231ed20d",
"status": "affected",
"version": "8934ce2fd08171e8605f7fada91ee7619fe17ab8",
"versionType": "git"
},
{
"lessThan": "8926a7ef1977a832dd6bf702f1a99303dbf15b15",
"status": "affected",
"version": "8934ce2fd08171e8605f7fada91ee7619fe17ab8",
"versionType": "git"
},
{
"lessThan": "ff55c85a923e043d59d26b20a673a1b4a219c310",
"status": "affected",
"version": "8934ce2fd08171e8605f7fada91ee7619fe17ab8",
"versionType": "git"
},
{
"lessThan": "1e0de7582ceccbdbb227d4e0ddf65732f92526da",
"status": "affected",
"version": "8934ce2fd08171e8605f7fada91ee7619fe17ab8",
"versionType": "git"
},
{
"lessThan": "1b367ba2f94251822577daed031d6b9a9e11ba91",
"status": "affected",
"version": "8934ce2fd08171e8605f7fada91ee7619fe17ab8",
"versionType": "git"
},
{
"lessThan": "2660a544fdc0940bba15f70508a46cf9a6491230",
"status": "affected",
"version": "8934ce2fd08171e8605f7fada91ee7619fe17ab8",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"include/net/sock.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.17"
},
{
"lessThan": "4.17",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.239",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.186",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.142",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.94",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.34",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.15.*",
"status": "unaffected",
"version": "6.15.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.16",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.239",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.186",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.142",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.94",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.34",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.15.3",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16",
"versionStartIncluding": "4.17",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: Fix TOCTOU issue in sk_is_readable()\n\nsk-\u003esk_prot-\u003esock_is_readable is a valid function pointer when sk resides\nin a sockmap. After the last sk_psock_put() (which usually happens when\nsocket is removed from sockmap), sk-\u003esk_prot gets restored and\nsk-\u003esk_prot-\u003esock_is_readable becomes NULL.\n\nThis makes sk_is_readable() racy, if the value of sk-\u003esk_prot is reloaded\nafter the initial check. Which in turn may lead to a null pointer\ndereference.\n\nEnsure the function pointer does not turn NULL after the check."
}
],
"providerMetadata": {
"dateUpdated": "2025-07-28T04:12:29.484Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/c2b26638476baee154920bb587fc94ff1bf04336"
},
{
"url": "https://git.kernel.org/stable/c/6fa68d7eab34d448a61aa24ea31e68b3231ed20d"
},
{
"url": "https://git.kernel.org/stable/c/8926a7ef1977a832dd6bf702f1a99303dbf15b15"
},
{
"url": "https://git.kernel.org/stable/c/ff55c85a923e043d59d26b20a673a1b4a219c310"
},
{
"url": "https://git.kernel.org/stable/c/1e0de7582ceccbdbb227d4e0ddf65732f92526da"
},
{
"url": "https://git.kernel.org/stable/c/1b367ba2f94251822577daed031d6b9a9e11ba91"
},
{
"url": "https://git.kernel.org/stable/c/2660a544fdc0940bba15f70508a46cf9a6491230"
}
],
"title": "net: Fix TOCTOU issue in sk_is_readable()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-38112",
"datePublished": "2025-07-03T08:35:21.276Z",
"dateReserved": "2025-04-16T04:51:23.985Z",
"dateUpdated": "2025-07-28T04:12:29.484Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"vulnerability-lookup:meta": {
"nvd": "{\"cve\":{\"id\":\"CVE-2025-38112\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2025-07-03T09:15:24.960\",\"lastModified\":\"2025-07-03T15:13:53.147\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\nnet: Fix TOCTOU issue in sk_is_readable()\\n\\nsk-\u003esk_prot-\u003esock_is_readable is a valid function pointer when sk resides\\nin a sockmap. After the last sk_psock_put() (which usually happens when\\nsocket is removed from sockmap), sk-\u003esk_prot gets restored and\\nsk-\u003esk_prot-\u003esock_is_readable becomes NULL.\\n\\nThis makes sk_is_readable() racy, if the value of sk-\u003esk_prot is reloaded\\nafter the initial check. Which in turn may lead to a null pointer\\ndereference.\\n\\nEnsure the function pointer does not turn NULL after the check.\"},{\"lang\":\"es\",\"value\":\"En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: net: Se solucion\u00f3 el problema de TOCTOU en sk_is_readable(). sk-\u0026gt;sk_prot-\u0026gt;sock_is_readable es un puntero a funci\u00f3n v\u00e1lido cuando sk reside en un mapa de sockets. Tras el \u00faltimo sk_psock_put() (que suele ocurrir al eliminar un socket de un mapa de sockets), sk-\u0026gt;sk_prot se restaura y sk-\u0026gt;sk_prot-\u0026gt;sock_is_readable se convierte en NULL. Esto hace que sk_is_readable() sea arriesgado si el valor de sk-\u0026gt;sk_prot se recarga despu\u00e9s de la comprobaci\u00f3n inicial. Esto, a su vez, puede provocar una desreferencia de puntero nulo. Aseg\u00farese de que el puntero a funci\u00f3n no se convierta en NULL despu\u00e9s de la comprobaci\u00f3n.\"}],\"metrics\":{},\"references\":[{\"url\":\"https://git.kernel.org/stable/c/1b367ba2f94251822577daed031d6b9a9e11ba91\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/1e0de7582ceccbdbb227d4e0ddf65732f92526da\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/2660a544fdc0940bba15f70508a46cf9a6491230\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/6fa68d7eab34d448a61aa24ea31e68b3231ed20d\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/8926a7ef1977a832dd6bf702f1a99303dbf15b15\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/c2b26638476baee154920bb587fc94ff1bf04336\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/ff55c85a923e043d59d26b20a673a1b4a219c310\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"}]}}"
}
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.
Loading…
Loading…