CVE-2025-38727

In the Linux kernel, the following vulnerability has been resolved:

netlink: avoid infinite retry looping in netlink_unicast()

netlink_attachskb() checks for the socket's read memory allocation
constraints. Firstly, it has:

  rmem < READ_ONCE(sk->sk_rcvbuf)

to check if the just increased rmem value fits into the socket's receive
buffer. If not, it proceeds and tries to wait for the memory under:

  rmem + skb->truesize > READ_ONCE(sk->sk_rcvbuf)

The checks don't cover the case when skb->truesize + sk->sk_rmem_alloc is
equal to sk->sk_rcvbuf. Thus the function neither successfully accepts
these conditions, nor manages to reschedule the task - and is called in
retry loop for indefinite time which is caught as:

  rcu: INFO: rcu_sched self-detected stall on CPU
  rcu:     0-....: (25999 ticks this GP) idle=ef2/1/0x4000000000000000 softirq=262269/262269 fqs=6212
  (t=26000 jiffies g=230833 q=259957)
  NMI backtrace for cpu 0
  CPU: 0 PID: 22 Comm: kauditd Not tainted 5.10.240 #68
  Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.17.0-4.fc42 04/01/2014
  Call Trace:
  <IRQ>
  dump_stack lib/dump_stack.c:120
  nmi_cpu_backtrace.cold lib/nmi_backtrace.c:105
  nmi_trigger_cpumask_backtrace lib/nmi_backtrace.c:62
  rcu_dump_cpu_stacks kernel/rcu/tree_stall.h:335
  rcu_sched_clock_irq.cold kernel/rcu/tree.c:2590
  update_process_times kernel/time/timer.c:1953
  tick_sched_handle kernel/time/tick-sched.c:227
  tick_sched_timer kernel/time/tick-sched.c:1399
  __hrtimer_run_queues kernel/time/hrtimer.c:1652
  hrtimer_interrupt kernel/time/hrtimer.c:1717
  __sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1113
  asm_call_irq_on_stack arch/x86/entry/entry_64.S:808
  </IRQ>

  netlink_attachskb net/netlink/af_netlink.c:1234
  netlink_unicast net/netlink/af_netlink.c:1349
  kauditd_send_queue kernel/audit.c:776
  kauditd_thread kernel/audit.c:897
  kthread kernel/kthread.c:328
  ret_from_fork arch/x86/entry/entry_64.S:304

Restore the original behavior of the check which commit in Fixes
accidentally missed when restructuring the code.

Found by Linux Verification Center (linuxtesting.org).
Infinite Loop
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
5.5 MEDIUM
LOCAL
LOW
LOW
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
LinuxCNA
---
---
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 4%
VendorProductVersion
linuxlinux_kernel
6.1.146 ≤
𝑥
< 6.1.149
linuxlinux_kernel
6.6.99 ≤
𝑥
< 6.6.103
linuxlinux_kernel
6.12.39 ≤
𝑥
< 6.12.43
linuxlinux_kernel
6.15.7 ≤
𝑥
< 6.15.11
linuxlinux_kernel
6.16.1 ≤
𝑥
< 6.16.2
linuxlinux_kernel
5.4.296
linuxlinux_kernel
5.10.240
linuxlinux_kernel
5.15.189
linuxlinux_kernel
6.16
linuxlinux_kernel
6.16:rc6
linuxlinux_kernel
6.16:rc7
debiandebian_linux
11.0
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
linux
bullseye
vulnerable
bullseye (security)
5.10.247-1
fixed
bookworm
6.1.159-1
fixed
bookworm (security)
6.1.158-1
fixed
trixie
6.12.63-1
fixed
trixie (security)
6.12.48-1
fixed
forky
6.17.13-1
fixed
sid
6.18.5-1
fixed
linux-6.1
bullseye (security)
6.1.159-1~deb11u1
fixed
Common Weakness Enumeration
References
https://git.kernel.org/stable/c/346c820ef5135cf062fa3473da955ef8c5fb6929
https://git.kernel.org/stable/c/44ddd7b1ae0b7edb2c832eb16798c827a05e58f0
https://git.kernel.org/stable/c/47d49fd07f86d1f55ea1083287303d237e9e0922
https://git.kernel.org/stable/c/6bee383ff83352a693d03efdf27cdd80742f71b2
https://git.kernel.org/stable/c/759dfc7d04bab1b0b86113f1164dc1fec192b859
https://git.kernel.org/stable/c/78fcd69d55c5f11d7694c547eca767a1cfd38ec4
https://git.kernel.org/stable/c/d42b71a34f6b8a2d5c53df81169b03b8d8b5cf4e
https://git.kernel.org/stable/c/e8edc7de688791a337c068693f22e8d8b869df71
https://git.kernel.org/stable/c/f324959ad47e62e3cadaffa65d3cff790fb48529
https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html
https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html