CVE-2025-38639 in Linux
Summary
by MITRE • 08/22/2025
In the Linux kernel, the following vulnerability has been resolved:
netfilter: xt_nfacct: don't assume acct name is null-terminated
BUG: KASAN: slab-out-of-bounds in .. lib/vsprintf.c:721 Read of size 1 at addr ffff88801eac95c8 by task syz-executor183/5851 [..]
string+0x231/0x2b0 lib/vsprintf.c:721 vsnprintf+0x739/0xf00 lib/vsprintf.c:2874 [..]
nfacct_mt_checkentry+0xd2/0xe0 net/netfilter/xt_nfacct.c:41 xt_check_match+0x3d1/0xab0 net/netfilter/x_tables.c:523
nfnl_acct_find_get() handles non-null input, but the error printk relied on its presence.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 05/28/2026
The vulnerability CVE-2025-38639 represents a critical out-of-bounds read flaw within the Linux kernel's netfilter subsystem, specifically affecting the xt_nfacct match module. This issue manifests as a slab-out-of-bounds error detected by Kernel Address Sanitizer (KASAN) during kernel execution. The flaw occurs when processing accounting names within the netfilter framework, where the system assumes that accounting names are null-terminated strings, a condition that cannot be guaranteed in all scenarios. The error trace points to lib/vsprintf.c at line 721 in the string function, indicating that the kernel's string handling routines encounter memory beyond their allocated bounds when processing accounting name data.
The technical root cause stems from improper input validation within the nfnl_acct_find_get() function which handles accounting name lookups but fails to account for non-null-terminated input strings. This function's behavior creates a dangerous assumption that accounting names will always be properly null-terminated, allowing attackers to craft malicious inputs that bypass normal string boundary checks. The vulnerability specifically affects the nfacct_mt_checkentry function in xt_nfacct.c at line 41, where the error print statement relies on the assumption of null-terminated strings, leading to memory access violations when the kernel attempts to process accounting data.
The operational impact of this vulnerability extends beyond simple memory corruption, as it can potentially enable privilege escalation or denial of service conditions within kernel space. Attackers could exploit this flaw by submitting specially crafted netfilter rules containing non-null-terminated accounting names, causing the kernel to read beyond allocated memory regions and potentially execute arbitrary code with kernel privileges. This represents a significant threat to system stability and security, particularly in environments where netfilter rules are dynamically configured or where untrusted input is processed through the accounting subsystem. The vulnerability aligns with CWE-129 Input Validation and CWE-787 Out-of-bounds Write categories, demonstrating how improper handling of string boundaries can lead to severe kernel-level exploits.
Mitigation strategies for this vulnerability require immediate kernel updates from vendors who have addressed the issue in their patched releases. System administrators should prioritize applying security patches that modify the xt_nfacct module to properly validate input string boundaries before processing accounting names. Additionally, implementing runtime protections such as kernel hardening features and address space layout randomization can provide defense-in-depth measures against exploitation attempts. The fix typically involves modifying the nfnl_acct_find_get() function to explicitly check string boundaries and ensure proper null-termination before any string processing operations, preventing the out-of-bounds memory access that leads to system instability and potential privilege escalation. This vulnerability demonstrates the critical importance of proper input validation in kernel space operations and aligns with ATT&CK technique T1068, which covers local privilege escalation through kernel vulnerabilities.