CVE-2025-23142 in Linux
Summary
by MITRE • 05/01/2025
In the Linux kernel, the following vulnerability has been resolved:
sctp: detect and prevent references to a freed transport in sendmsg
sctp_sendmsg() re-uses associations and transports when possible by doing a lookup based on the socket endpoint and the message destination address, and then sctp_sendmsg_to_asoc() sets the selected transport in all the message chunks to be sent.
There's a possible race condition if another thread triggers the removal of that selected transport, for instance, by explicitly unbinding an address with setsockopt(SCTP_SOCKOPT_BINDX_REM), after the chunks have been set up and before the message is sent. This can happen if the send buffer is full, during the period when the sender thread temporarily releases the socket lock in sctp_wait_for_sndbuf().
This causes the access to the transport data in sctp_outq_select_transport(), when the association outqueue is flushed, to result in a use-after-free read.
This change avoids this scenario by having sctp_transport_free() signal the freeing of the transport, tagging it as "dead". In order to do this, the patch restores the "dead" bit in struct sctp_transport, which was removed in commit 47faa1e4c50e ("sctp: remove the dead field of sctp_transport").
Then, in the scenario where the sender thread has released the socket lock in sctp_wait_for_sndbuf(), the bit is checked again after re-acquiring the socket lock to detect the deletion. This is done while holding a reference to the transport to prevent it from being freed in the process.
If the transport was deleted while the socket lock was relinquished, sctp_sendmsg_to_asoc() will return -EAGAIN to let userspace retry the send.
The bug was found by a private syzbot instance (see the error report [1]
and the C reproducer that triggers it [2]).
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 03/15/2026
The vulnerability CVE-2025-23142 represents a critical use-after-free condition in the Linux kernel's Stream Control Transmission Protocol implementation that arises from a race condition during SCTP message transmission. This flaw occurs within the sctp_sendmsg() function which manages the reuse of associations and transports by performing lookups based on socket endpoints and destination addresses. The vulnerability manifests when the system attempts to send SCTP messages while another thread concurrently removes the transport structure, creating a scenario where freed memory is accessed during message processing. The technical implementation involves the sctp_sendmsg_to_asoc() function setting selected transport information in message chunks, but fails to account for potential transport removal during the brief period when the socket lock is temporarily released.
The race condition specifically occurs during the sctp_wait_for_sndbuf() function where the sender thread temporarily releases the socket lock while waiting for available send buffer space. This temporary unlock window allows other threads to execute operations such as setsockopt(SCTP_SOCKOPT_BINDX_REM) that explicitly unbind addresses and remove transports from the system. When the original sending thread re-acquires the socket lock, it continues processing without verifying whether the previously selected transport has been freed, leading to a use-after-free read condition in sctp_outq_select_transport() during outqueue flushing operations. This vulnerability directly relates to CWE-416, which describes the use of freed pointers, and specifically targets the improper handling of memory management in concurrent scenarios.
The operational impact of this vulnerability extends beyond simple memory corruption to potentially enable arbitrary code execution or system instability. Attackers could exploit this race condition by creating conditions that force the system into the problematic code path, potentially causing denial of service through kernel crashes or more severe exploitation if the freed memory is reused for malicious purposes. The vulnerability affects all systems running Linux kernels with SCTP support, particularly those handling high volumes of SCTP traffic or systems where multiple threads simultaneously manipulate SCTP associations. The issue was discovered through automated fuzzing by syzbot, indicating that it represents a subtle concurrency flaw that would be difficult to detect through manual testing or traditional security scanning methods, aligning with ATT&CK technique T1059.007 for execution through kernel-level code injection.
The patch addresses this vulnerability by reintroducing and properly utilizing the "dead" bit field in the sctp_transport structure that was previously removed in commit 47faa1e4c50e. This restoration allows the sctp_transport_free() function to properly signal when a transport is being freed by tagging it as "dead" rather than immediately destroying it. The implementation includes a critical check mechanism that verifies the transport's status after re-acquiring the socket lock, maintaining proper reference counting to prevent concurrent freeing operations. When the system detects that a transport has been marked as dead during the temporary unlock period, the sctp_sendmsg_to_asoc() function returns -EAGAIN to userspace, prompting applications to retry the send operation. This approach follows secure coding principles by ensuring proper synchronization and memory state validation, addressing the root cause rather than merely patching symptoms. The fix also incorporates proper reference management to prevent the race condition from occurring in the first place, demonstrating adherence to secure programming practices that prevent concurrent access to freed resources.