CVE-2025-38727

EUVD-2025-26742
In the Linux kernel, the following vulnerability has been resolved:

netlink: avoid infinite retry looping in netlink_unicast()

netlink_attachskb() checks for the socket's read memory allocation
constraints. Firstly, it has:

  rmem < READ_ONCE(sk->sk_rcvbuf)

to check if the just increased rmem value fits into the socket's receive
buffer. If not, it proceeds and tries to wait for the memory under:

  rmem + skb->truesize > READ_ONCE(sk->sk_rcvbuf)

The checks don't cover the case when skb->truesize + sk->sk_rmem_alloc is
equal to sk->sk_rcvbuf. Thus the function neither successfully accepts
these conditions, nor manages to reschedule the task - and is called in
retry loop for indefinite time which is caught as:

  rcu: INFO: rcu_sched self-detected stall on CPU
  rcu:     0-....: (25999 ticks this GP) idle=ef2/1/0x4000000000000000 softirq=262269/262269 fqs=6212
  (t=26000 jiffies g=230833 q=259957)
  NMI backtrace for cpu 0
  CPU: 0 PID: 22 Comm: kauditd Not tainted 5.10.240 #68
  Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.17.0-4.fc42 04/01/2014
  Call Trace:
  <IRQ>
  dump_stack lib/dump_stack.c:120
  nmi_cpu_backtrace.cold lib/nmi_backtrace.c:105
  nmi_trigger_cpumask_backtrace lib/nmi_backtrace.c:62
  rcu_dump_cpu_stacks kernel/rcu/tree_stall.h:335
  rcu_sched_clock_irq.cold kernel/rcu/tree.c:2590
  update_process_times kernel/time/timer.c:1953
  tick_sched_handle kernel/time/tick-sched.c:227
  tick_sched_timer kernel/time/tick-sched.c:1399
  __hrtimer_run_queues kernel/time/hrtimer.c:1652
  hrtimer_interrupt kernel/time/hrtimer.c:1717
  __sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1113
  asm_call_irq_on_stack arch/x86/entry/entry_64.S:808
  </IRQ>

  netlink_attachskb net/netlink/af_netlink.c:1234
  netlink_unicast net/netlink/af_netlink.c:1349
  kauditd_send_queue kernel/audit.c:776
  kauditd_thread kernel/audit.c:897
  kthread kernel/kthread.c:328
  ret_from_fork arch/x86/entry/entry_64.S:304

Restore the original behavior of the check which commit in Fixes
accidentally missed when restructuring the code.

Found by Linux Verification Center (linuxtesting.org).
Infinite Loop
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
siemens-SADPADP
5.5 MEDIUM
LOCAL
LOW
LOW
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Base Score
CVSS 3.x
EPSS Score
Percentile: 3%
Affected Products (NVD)
VendorProductVersion
linuxlinux_kernel
6.1.146 ≤
𝑥
< 6.1.149
linuxlinux_kernel
6.6.99 ≤
𝑥
< 6.6.103
linuxlinux_kernel
6.12.39 ≤
𝑥
< 6.12.43
linuxlinux_kernel
6.15.7 ≤
𝑥
< 6.15.11
linuxlinux_kernel
6.16.1 ≤
𝑥
< 6.16.2
linuxlinux_kernel
5.4.296
linuxlinux_kernel
5.10.240
linuxlinux_kernel
5.15.189
linuxlinux_kernel
6.16
linuxlinux_kernel
6.16:rc6
linuxlinux_kernel
6.16:rc7
debiandebian_linux
11.0
𝑥
= Vulnerable software versions
Early Detection
Affected products identified ahead of NVD analysis through intelligence sources.
VendorProductVersionSource
SiemensSIMATIC CN 4100
𝑥
< V5.0
ADP
SiemensSIMATIC S7-1500 CPU 1518-4 PN\/DP MFP
V3.1.5 ≤
𝑥
< *
ADP
SiemensSIMATIC S7-1500 CPU 1518-4 PN\/DP MFP
V3.1.5 ≤
𝑥
< *
ADP
SiemensSIMATIC S7-1500 CPU 1518F-4 PN\/DP MFP
V3.1.5 ≤
𝑥
< *
ADP
SiemensSIMATIC S7-1500 CPU 1518F-4 PN\/DP MFP
V3.1.5 ≤
𝑥
< *
ADP
SiemensSIPLUS S7-1500 CPU 1518-4 PN\/DP MFP
V3.1.5 ≤
𝑥
< *
ADP
siemenssimatic_cn_4100
𝑥
< 5.0
ADP
Debian logo
Debian Releases
Debian Product
Codename
linux
bookworm
6.1.170-3
fixed
bookworm (security)
6.1.174-1
fixed
bullseye
vulnerable
bullseye (security)
5.10.257-1
fixed
forky
7.0.10-1
fixed
sid
7.0.10-1
fixed
trixie
6.12.86-1
fixed
trixie (security)
6.12.90-2
fixed
linux-6.1
bullseye (security)
6.1.174-1~deb11u1
fixed
openSUSE logo
openSUSE / SLES Releases
openSUSE Product
Release
cluster-md-kmp-default
suse enterprise server 12 SP5
4.12.14-122.275.1
fixed
dlm-kmp-default
suse enterprise server 12 SP5
4.12.14-122.275.1
fixed
gfs2-kmp-default
suse enterprise server 12 SP5
4.12.14-122.275.1
fixed
kernel-64kb
suse enterprise desktop 15 SP6
6.4.0-150600.23.73.1
fixed
suse enterprise desktop 15 SP7
6.4.0-150700.53.22.1
fixed
suse enterprise sap 15 SP6
6.4.0-150600.23.73.1
fixed
suse enterprise sap 15 SP7
6.4.0-150700.53.22.1
fixed
suse enterprise server 15 SP6
6.4.0-150600.23.73.1
fixed
suse enterprise server 15 SP7
6.4.0-150700.53.22.1
fixed
kernel-azure
suse enterprise sap 15 SP6
6.4.0-150600.8.52.1
fixed
suse enterprise sap 15 SP7
6.4.0-150700.20.18.1
fixed
suse enterprise server 15 SP6
6.4.0-150600.8.52.1
fixed
suse enterprise server 15 SP7
6.4.0-150700.20.18.1
fixed
kernel-default
suse enterprise desktop 15 SP6
6.4.0-150600.23.73.1
fixed
suse enterprise desktop 15 SP7
6.4.0-150700.53.22.1
fixed
suse enterprise sap 15 SP6
6.4.0-150600.23.73.1
fixed
suse enterprise sap 15 SP7
6.4.0-150700.53.22.1
fixed
suse enterprise server 12 SP5
4.12.14-122.275.1
fixed
suse enterprise server 15 SP6
6.4.0-150600.23.73.1
fixed
suse enterprise server 15 SP7
6.4.0-150700.53.22.1
fixed
kernel-default-base
suse enterprise desktop 15 SP6
6.4.0-150600.23.73.1.150600.12.32.1
fixed
suse enterprise desktop 15 SP7
6.4.0-150700.53.22.1.150700.17.15.1
fixed
suse enterprise sap 15 SP6
6.4.0-150600.23.73.1.150600.12.32.1
fixed
suse enterprise sap 15 SP7
6.4.0-150700.53.22.1.150700.17.15.1
fixed
suse enterprise server 12 SP5
4.12.14-122.275.1
fixed
suse enterprise server 15 SP6
6.4.0-150600.23.73.1.150600.12.32.1
fixed
suse enterprise server 15 SP7
6.4.0-150700.53.22.1.150700.17.15.1
fixed
kernel-default-man
suse enterprise server 12 SP5
4.12.14-122.275.1
fixed
kernel-docs
suse enterprise desktop 15 SP6
6.4.0-150600.23.73.1
fixed
suse enterprise desktop 15 SP7
6.4.0-150700.53.22.1
fixed
suse enterprise sap 15 SP6
6.4.0-150600.23.73.1
fixed
suse enterprise sap 15 SP7
6.4.0-150700.53.22.1
fixed
suse enterprise server 15 SP6
6.4.0-150600.23.73.1
fixed
suse enterprise server 15 SP7
6.4.0-150700.53.22.1
fixed
kernel-macros
suse enterprise desktop 15 SP6
6.4.0-150600.23.73.1
fixed
suse enterprise desktop 15 SP7
6.4.0-150700.53.22.1
fixed
suse enterprise sap 15 SP6
6.4.0-150600.23.73.1
fixed
suse enterprise sap 15 SP7
6.4.0-150700.53.22.1
fixed
suse enterprise server 12 SP5
4.12.14-122.275.1
fixed
suse enterprise server 15 SP6
6.4.0-150600.23.73.1
fixed
suse enterprise server 15 SP7
6.4.0-150700.53.22.1
fixed
kernel-obs-build
suse enterprise desktop 15 SP6
6.4.0-150600.23.73.1
fixed
suse enterprise desktop 15 SP7
6.4.0-150700.53.22.1
fixed
suse enterprise sap 15 SP6
6.4.0-150600.23.73.1
fixed
suse enterprise sap 15 SP7
6.4.0-150700.53.22.1
fixed
suse enterprise server 15 SP6
6.4.0-150600.23.73.1
fixed
suse enterprise server 15 SP7
6.4.0-150700.53.22.1
fixed
kernel-source
suse enterprise desktop 15 SP6
6.4.0-150600.23.73.1
fixed
suse enterprise desktop 15 SP7
6.4.0-150700.53.22.1
fixed
suse enterprise sap 15 SP6
6.4.0-150600.23.73.1
fixed
suse enterprise sap 15 SP7
6.4.0-150700.53.22.1
fixed
suse enterprise server 12 SP5
4.12.14-122.275.1
fixed
suse enterprise server 15 SP6
6.4.0-150600.23.73.1
fixed
suse enterprise server 15 SP7
6.4.0-150700.53.22.1
fixed
kernel-source-azure
suse enterprise sap 15 SP6
6.4.0-150600.8.52.1
fixed
suse enterprise sap 15 SP7
6.4.0-150700.20.18.1
fixed
suse enterprise server 15 SP6
6.4.0-150600.8.52.1
fixed
suse enterprise server 15 SP7
6.4.0-150700.20.18.1
fixed
kernel-syms
suse enterprise desktop 15 SP6
6.4.0-150600.23.73.1
fixed
suse enterprise desktop 15 SP7
6.4.0-150700.53.22.1
fixed
suse enterprise sap 15 SP6
6.4.0-150600.23.73.1
fixed
suse enterprise sap 15 SP7
6.4.0-150700.53.22.1
fixed
suse enterprise server 12 SP5
4.12.14-122.275.1
fixed
suse enterprise server 15 SP6
6.4.0-150600.23.73.1
fixed
suse enterprise server 15 SP7
6.4.0-150700.53.22.1
fixed
kernel-syms-azure
suse enterprise sap 15 SP6
6.4.0-150600.8.52.1
fixed
suse enterprise sap 15 SP7
6.4.0-150700.20.18.1
fixed
suse enterprise server 15 SP6
6.4.0-150600.8.52.1
fixed
suse enterprise server 15 SP7
6.4.0-150700.20.18.1
fixed
kernel-zfcpdump
suse enterprise desktop 15 SP6
6.4.0-150600.23.73.1
fixed
suse enterprise desktop 15 SP7
6.4.0-150700.53.22.1
fixed
suse enterprise sap 15 SP6
6.4.0-150600.23.73.1
fixed
suse enterprise sap 15 SP7
6.4.0-150700.53.22.1
fixed
suse enterprise server 15 SP6
6.4.0-150600.23.73.1
fixed
suse enterprise server 15 SP7
6.4.0-150700.53.22.1
fixed
ocfs2-kmp-default
suse enterprise server 12 SP5
4.12.14-122.275.1
fixed
Common Weakness Enumeration
References
https://git.kernel.org/stable/c/346c820ef5135cf062fa3473da955ef8c5fb6929
https://git.kernel.org/stable/c/44ddd7b1ae0b7edb2c832eb16798c827a05e58f0
https://git.kernel.org/stable/c/47d49fd07f86d1f55ea1083287303d237e9e0922
https://git.kernel.org/stable/c/6bee383ff83352a693d03efdf27cdd80742f71b2
https://git.kernel.org/stable/c/759dfc7d04bab1b0b86113f1164dc1fec192b859
https://git.kernel.org/stable/c/78fcd69d55c5f11d7694c547eca767a1cfd38ec4
https://git.kernel.org/stable/c/d42b71a34f6b8a2d5c53df81169b03b8d8b5cf4e
https://git.kernel.org/stable/c/e8edc7de688791a337c068693f22e8d8b869df71
https://git.kernel.org/stable/c/f324959ad47e62e3cadaffa65d3cff790fb48529
https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html
https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html
https://cert-portal.siemens.com/productcert/html/ssa-032379.html
https://cert-portal.siemens.com/productcert/html/ssa-082556.html