CVE-2025-37894 in Linux
Summary
by MITRE • 05/20/2025
In the Linux kernel, the following vulnerability has been resolved:
net: use sock_gen_put() when sk_state is TCP_TIME_WAIT
It is possible for a pointer of type struct inet_timewait_sock to be returned from the functions __inet_lookup_established() and __inet6_lookup_established(). This can cause a crash when the returned pointer is of type struct inet_timewait_sock and sock_put() is called on it. The following is a crash call stack that shows sk->sk_wmem_alloc being accessed in sk_free() during the call to sock_put() on a struct inet_timewait_sock pointer. To avoid this issue, use sock_gen_put() instead of sock_put() when sk->sk_state is TCP_TIME_WAIT.
mrdump.ko ipanic() + 120 vmlinux notifier_call_chain(nr_to_call=-1, nr_calls=0) + 132 vmlinux atomic_notifier_call_chain(val=0) + 56 vmlinux panic() + 344 vmlinux add_taint() + 164 vmlinux end_report() + 136 vmlinux kasan_report(size=0) + 236 vmlinux report_tag_fault() + 16 vmlinux do_tag_recovery() + 16 vmlinux __do_kernel_fault() + 88 vmlinux do_bad_area() + 28 vmlinux do_tag_check_fault() + 60 vmlinux do_mem_abort() + 80 vmlinux el1_abort() + 56 vmlinux el1h_64_sync_handler() + 124 vmlinux > 0xFFFFFFC080011294() vmlinux __lse_atomic_fetch_add_release(v=0xF2FFFF82A896087C) vmlinux __lse_atomic_fetch_sub_release(v=0xF2FFFF82A896087C) vmlinux arch_atomic_fetch_sub_release(i=1, v=0xF2FFFF82A896087C) + 8 vmlinux raw_atomic_fetch_sub_release(i=1, v=0xF2FFFF82A896087C) + 8 vmlinux atomic_fetch_sub_release(i=1, v=0xF2FFFF82A896087C) + 8 vmlinux __refcount_sub_and_test(i=1, r=0xF2FFFF82A896087C, oldp=0) + 8 vmlinux __refcount_dec_and_test(r=0xF2FFFF82A896087C, oldp=0) + 8 vmlinux refcount_dec_and_test(r=0xF2FFFF82A896087C) + 8 vmlinux sk_free(sk=0xF2FFFF82A8960700) + 28 vmlinux sock_put() + 48 vmlinux tcp6_check_fraglist_gro() + 236 vmlinux tcp6_gro_receive() + 624 vmlinux ipv6_gro_receive() + 912 vmlinux dev_gro_receive() + 1116 vmlinux napi_gro_receive() + 196 ccmni.ko ccmni_rx_callback() + 208 ccmni.ko ccmni_queue_recv_skb() + 388 ccci_dpmaif.ko dpmaif_rxq_push_thread() + 1088 vmlinux kthread() + 268 vmlinux 0xFFFFFFC08001F30C()
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 12/14/2025
The vulnerability CVE-2025-37894 addresses a critical issue within the Linux kernel's networking subsystem that arises from improper handling of socket references during TCP connection teardown. This flaw occurs when the kernel's TCP implementation attempts to release a socket reference that has already transitioned into the TCP_TIME_WAIT state, leading to a potential system crash. The root cause lies in the incorrect use of sock_put() function instead of sock_gen_put() when dealing with sockets in the TCP_TIME_WAIT state, which results in accessing invalid memory locations during socket deallocation.
The technical execution of this vulnerability involves a specific sequence where functions __inet_lookup_established() and __inet6_lookup_established() may return pointers to struct inet_timewait_sock objects rather than regular socket structures. When these timewait socket pointers are subsequently passed to sock_put(), the kernel attempts to access members of the socket structure that do not exist in the timewait socket layout, particularly the sk_wmem_alloc field. This memory access violation triggers a kernel panic, as demonstrated in the call stack showing the crash occurring within sk_free() during the sock_put() operation. The flaw manifests when the kernel processes incoming network packets through the TCP6_GRO (Generic Receive Offload) mechanism, specifically in functions like tcp6_check_fraglist_gro() and tcp6_gro_receive().
This vulnerability directly relates to CWE-476, which describes a null pointer dereference, and aligns with ATT&CK technique T1499.004, which involves network denial of service through resource exhaustion or corruption. The operational impact of this vulnerability is severe, as it can cause complete system crashes or panics, effectively rendering the affected system unavailable for network operations. Attackers could potentially exploit this vulnerability by crafting specific network traffic patterns that trigger the lookup functions to return timewait socket pointers, leading to system instability and denial of service conditions. The vulnerability affects all Linux kernel versions that implement the problematic TCP connection handling logic, particularly those with network stack implementations that utilize the affected lookup and socket release functions.
The recommended mitigation strategy involves implementing the fix by replacing sock_put() with sock_gen_put() when the socket state is TCP_TIME_WAIT. This approach ensures that the proper reference counting mechanism is used for timewait sockets, which have different memory layouts and lifecycle management requirements compared to regular established sockets. The fix requires modification to the kernel networking code in the tcp6_gro_receive() and related functions, ensuring that socket state checking occurs before reference counting operations. Additionally, system administrators should prioritize applying kernel updates that contain this patch, as the vulnerability can be exploited remotely through network traffic processing, making it a critical security concern for all systems running affected kernel versions. The implementation of this fix aligns with best practices for kernel memory management and prevents improper access to socket structures during their transition through different states in the TCP connection lifecycle.