CVE-2025-38727 in Linux
Summary
by MITRE • 09/04/2025
In the Linux kernel, the following vulnerability has been resolved:
netlink: avoid infinite retry looping in netlink_unicast()
netlink_attachskb() checks for the socket's read memory allocation constraints. Firstly, it has:
rmem < READ_ONCE(sk->sk_rcvbuf)
to check if the just increased rmem value fits into the socket's receive buffer. If not, it proceeds and tries to wait for the memory under:
rmem + skb->truesize > READ_ONCE(sk->sk_rcvbuf)
The checks don't cover the case when skb->truesize + sk->sk_rmem_alloc is equal to sk->sk_rcvbuf. Thus the function neither successfully accepts these conditions, nor manages to reschedule the task - and is called in retry loop for indefinite time which is caught as:
rcu: INFO: rcu_sched self-detected stall on CPU rcu: 0-....: (25999 ticks this GP) idle=ef2/1/0x4000000000000000 softirq=262269/262269 fqs=6212 (t=26000 jiffies g=230833 q=259957) NMI backtrace for cpu 0 CPU: 0 PID: 22 Comm: kauditd Not tainted 5.10.240 #68 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.17.0-4.fc42 04/01/2014 Call Trace: <IRQ> dump_stack lib/dump_stack.c:120 nmi_cpu_backtrace.cold lib/nmi_backtrace.c:105 nmi_trigger_cpumask_backtrace lib/nmi_backtrace.c:62 rcu_dump_cpu_stacks kernel/rcu/tree_stall.h:335 rcu_sched_clock_irq.cold kernel/rcu/tree.c:2590 update_process_times kernel/time/timer.c:1953 tick_sched_handle kernel/time/tick-sched.c:227 tick_sched_timer kernel/time/tick-sched.c:1399 __hrtimer_run_queues kernel/time/hrtimer.c:1652 hrtimer_interrupt kernel/time/hrtimer.c:1717 __sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1113 asm_call_irq_on_stack arch/x86/entry/entry_64.S:808 </IRQ>
netlink_attachskb net/netlink/af_netlink.c:1234 netlink_unicast net/netlink/af_netlink.c:1349 kauditd_send_queue kernel/audit.c:776 kauditd_thread kernel/audit.c:897 kthread kernel/kthread.c:328 ret_from_fork arch/x86/entry/entry_64.S:304
Restore the original behavior of the check which commit in Fixes accidentally missed when restructuring the code.
Found by Linux Verification Center (linuxtesting.org).
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 02/10/2026
The vulnerability identified as CVE-2025-38727 resides within the Linux kernel's netlink subsystem, specifically in the netlink_unicast() function which handles unicast messaging between kernel and user-space processes. This flaw manifests as an infinite retry loop that can cause system instability and potential denial of service conditions. The issue stems from improper memory allocation checks within the netlink_attachskb() function that manages socket receive buffer constraints. The vulnerability occurs when processing network packets through netlink sockets, where the kernel fails to properly handle edge cases in memory allocation logic, leading to a condition where the system becomes trapped in an endless loop of memory checks without making progress.
The technical implementation of this vulnerability involves a race condition and logic error in the memory management subsystem of the Linux kernel's networking stack. The problematic code path begins with netlink_attachskb() performing checks on socket receive buffer constraints using the condition rmem < READ_ONCE(sk->sk_rcvbuf) to determine if newly allocated memory fits within the socket's receive buffer. However, when the check fails, the code attempts to wait for memory availability through a secondary condition rmem + skb->truesize > READ_ONCE(sk->sk_rcvbuf), yet this logic fails to account for cases where skb->truesize + sk->sk_rmem_alloc equals sk->sk_rcvbuf exactly. This mathematical edge case creates a condition where neither the acceptance nor the rescheduling logic executes properly, causing the function to retry indefinitely without advancing the system state. The flaw demonstrates a classic example of improper boundary condition handling in kernel memory management, where the edge case of exact buffer exhaustion is not properly considered in the retry logic.
The operational impact of this vulnerability extends beyond simple performance degradation to potentially causing complete system lockups and denial of service conditions. When the infinite retry loop occurs, it triggers RCU (Read-Copy-Update) scheduler warnings indicating that the system has detected a stall on CPU, as evidenced by the rcu_sched self-detected stall messages in the kernel logs. The stack trace shows the execution path leading to the problem through kauditd_send_queue and kauditd_thread, indicating that audit logging processes are particularly susceptible to this condition. The system effectively becomes unresponsive as the CPU remains trapped in the retry loop, with the RCU subsystem detecting the stall and logging the condition. This behavior aligns with ATT&CK technique T1499.004 (Resource Hijacking) where system resources become consumed by malicious or faulty processes. The vulnerability affects systems running kernel versions that include the problematic code changes, typically those that have undergone restructuring commits that inadvertently removed proper boundary condition handling.
The root cause of this vulnerability can be traced to a regression introduced during code restructuring, where a critical boundary condition check was accidentally omitted or modified incorrectly. This type of issue is classified under CWE-367 as a Time-of-Check Time-of-Use (TOCTOU) vulnerability, where the memory allocation state changes between the check and the actual allocation, but the logic fails to properly handle the transition. The fix requires restoring the original behavior of the memory allocation check that was inadvertently removed during the restructuring process, specifically addressing the edge case where memory allocation exactly matches the buffer capacity. The solution involves ensuring that the memory management logic properly evaluates all boundary conditions including the case where packet size plus current memory allocation equals the socket buffer limit, thereby preventing the infinite retry condition. This vulnerability demonstrates the critical importance of thorough regression testing when refactoring kernel code, particularly in memory management subsystems where incorrect boundary conditions can lead to system-wide stability issues. Organizations should prioritize applying kernel updates that contain the corrected memory allocation logic to prevent exploitation of this vulnerability, which could be leveraged to cause system denial of service or resource exhaustion attacks.