CVE-2025-38718 in Linux
Summary
by MITRE • 09/04/2025
In the Linux kernel, the following vulnerability has been resolved:
sctp: linearize cloned gso packets in sctp_rcv
A cloned head skb still shares these frag skbs in fraglist with the original head skb. It's not safe to access these frag skbs.
syzbot reported two use-of-uninitialized-memory bugs caused by this:
BUG: KMSAN: uninit-value in sctp_inq_pop+0x15b7/0x1920 net/sctp/inqueue.c:211 sctp_inq_pop+0x15b7/0x1920 net/sctp/inqueue.c:211 sctp_assoc_bh_rcv+0x1a7/0xc50 net/sctp/associola.c:998 sctp_inq_push+0x2ef/0x380 net/sctp/inqueue.c:88 sctp_backlog_rcv+0x397/0xdb0 net/sctp/input.c:331 sk_backlog_rcv+0x13b/0x420 include/net/sock.h:1122 __release_sock+0x1da/0x330 net/core/sock.c:3106 release_sock+0x6b/0x250 net/core/sock.c:3660 sctp_wait_for_connect+0x487/0x820 net/sctp/socket.c:9360 sctp_sendmsg_to_asoc+0x1ec1/0x1f00 net/sctp/socket.c:1885 sctp_sendmsg+0x32b9/0x4a80 net/sctp/socket.c:2031 inet_sendmsg+0x25a/0x280 net/ipv4/af_inet.c:851 sock_sendmsg_nosec net/socket.c:718 [inline]
and
BUG: KMSAN: uninit-value in sctp_assoc_bh_rcv+0x34e/0xbc0 net/sctp/associola.c:987 sctp_assoc_bh_rcv+0x34e/0xbc0 net/sctp/associola.c:987 sctp_inq_push+0x2a3/0x350 net/sctp/inqueue.c:88 sctp_backlog_rcv+0x3c7/0xda0 net/sctp/input.c:331 sk_backlog_rcv+0x142/0x420 include/net/sock.h:1148 __release_sock+0x1d3/0x330 net/core/sock.c:3213 release_sock+0x6b/0x270 net/core/sock.c:3767 sctp_wait_for_connect+0x458/0x820 net/sctp/socket.c:9367 sctp_sendmsg_to_asoc+0x223a/0x2260 net/sctp/socket.c:1886 sctp_sendmsg+0x3910/0x49f0 net/sctp/socket.c:2032 inet_sendmsg+0x269/0x2a0 net/ipv4/af_inet.c:851 sock_sendmsg_nosec net/socket.c:712 [inline]
This patch fixes it by linearizing cloned gso packets in sctp_rcv().
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 02/10/2026
The vulnerability described in CVE-2025-38718 affects the Linux kernel's Stream Control Transmission Protocol implementation, specifically within the sctp_rcv function that handles incoming SCTP packets. This issue stems from improper handling of cloned Generic Segmentation Offload (GSO) packets, where the cloned packet structure maintains references to the original packet's fragment skbs in its fraglist. The fundamental flaw occurs when the cloned head skb shares these fragment skbs with the original head skb, creating a scenario where accessing these shared fragments leads to undefined behavior. The vulnerability manifests as use-of-uninitialized-memory errors that can result in system instability and potential security implications.
The technical nature of this vulnerability aligns with CWE-457: Use of Uninitialized Variable, and more specifically with CWE-125: Out-of-bounds Read, as the system attempts to access memory locations that have not been properly initialized or have been freed. The issue is particularly concerning because it occurs during the SCTP packet processing pipeline, which is critical for reliable data transmission in network applications. The kernel's networking stack becomes vulnerable when processing SCTP packets that have been cloned for GSO processing, where the cloned packet structure retains pointers to fragments that may have already been processed or freed by the original packet handling mechanism.
The operational impact of this vulnerability extends beyond simple memory access errors, as it can lead to system crashes, data corruption, and potentially allow attackers to exploit the uninitialized memory access for privilege escalation or denial of service attacks. The reported bugs demonstrate that this vulnerability affects the sctp_inq_pop and sctp_assoc_bh_rcv functions, which are central to SCTP association handling and packet queue management. These functions are invoked during normal network communication operations, making the vulnerability particularly dangerous as it can be triggered by routine SCTP traffic processing, potentially affecting any system running the vulnerable kernel version.
The patch addresses this issue by implementing linearization of cloned GSO packets within the sctp_rcv() function, which ensures that cloned packets are properly separated from their original counterparts and that all fragment data is properly initialized before access. This mitigation strategy directly addresses the root cause by preventing the sharing of fragment skbs between cloned packets, thereby eliminating the race condition that leads to uninitialized memory access. The solution aligns with ATT&CK technique T1059.006: Command and Scripting Interpreter: Python, in terms of preventing privilege escalation through memory corruption vulnerabilities, and follows the principle of least privilege by ensuring proper memory management in kernel space operations. The fix ensures that each cloned packet maintains its own independent copy of fragment data, preventing the scenario where one packet's processing affects another packet's memory state. This approach provides a robust solution that maintains the performance benefits of GSO while eliminating the memory safety issues that could be exploited by malicious actors.