CVE-2025-38727

04.09.2025, 16:15

In the Linux kernel, the following vulnerability has been resolved:

netlink: avoid infinite retry looping in netlink_unicast()

netlink_attachskb() checks for the socket's read memory allocation
constraints. Firstly, it has:

  rmem < READ_ONCE(sk->sk_rcvbuf)

to check if the just increased rmem value fits into the socket's receive
buffer. If not, it proceeds and tries to wait for the memory under:

  rmem + skb->truesize > READ_ONCE(sk->sk_rcvbuf)

The checks don't cover the case when skb->truesize + sk->sk_rmem_alloc is
equal to sk->sk_rcvbuf. Thus the function neither successfully accepts
these conditions, nor manages to reschedule the task - and is called in
retry loop for indefinite time which is caught as:

  rcu: INFO: rcu_sched self-detected stall on CPU
  rcu:     0-....: (25999 ticks this GP) idle=ef2/1/0x4000000000000000 softirq=262269/262269 fqs=6212
  (t=26000 jiffies g=230833 q=259957)
  NMI backtrace for cpu 0
  CPU: 0 PID: 22 Comm: kauditd Not tainted 5.10.240 #68
  Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.17.0-4.fc42 04/01/2014
  Call Trace:
  <IRQ>
  dump_stack lib/dump_stack.c:120
  nmi_cpu_backtrace.cold lib/nmi_backtrace.c:105
  nmi_trigger_cpumask_backtrace lib/nmi_backtrace.c:62
  rcu_dump_cpu_stacks kernel/rcu/tree_stall.h:335
  rcu_sched_clock_irq.cold kernel/rcu/tree.c:2590
  update_process_times kernel/time/timer.c:1953
  tick_sched_handle kernel/time/tick-sched.c:227
  tick_sched_timer kernel/time/tick-sched.c:1399
  __hrtimer_run_queues kernel/time/hrtimer.c:1652
  hrtimer_interrupt kernel/time/hrtimer.c:1717
  __sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1113
  asm_call_irq_on_stack arch/x86/entry/entry_64.S:808
  </IRQ>

  netlink_attachskb net/netlink/af_netlink.c:1234
  netlink_unicast net/netlink/af_netlink.c:1349
  kauditd_send_queue kernel/audit.c:776
  kauditd_thread kernel/audit.c:897
  kthread kernel/kthread.c:328
  ret_from_fork arch/x86/entry/entry_64.S:304

Restore the original behavior of the check which commit in Fixes
accidentally missed when restructuring the code.

Found by Linux Verification Center (linuxtesting.org).

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	NIST	UNKNOWN				---
Linux	CNA	---				---

Awaiting analysis

This vulnerability is currently awaiting analysis.

Base Score

CVSS 3.x

EPSS Score

Percentile: Unknown

Debian Releases

Debian Product

Codename

linux

bullseye	vulnerable
bullseye (security)	vulnerable
bookworm	vulnerable
bookworm (security)	vulnerable
trixie	vulnerable
trixie (security)	vulnerable
forky	6.16.3-1 fixed
sid	6.16.3-1 fixed

Vulnerability Media Exposure

[GERMAN] Linux Kernel: Mehrere Schwachstellen ermöglichen Denial of Service
Ein Angreifer kann mehrere Schwachstellen im Linux-Kernel ausnutzen, um einen Denial-of-Service-Zustand zu erzeugen oder andere nicht spezifizierte Angriffe durchzuführen.
Published: 2025-09-04T22:00:00+00:00

References

https://git.kernel.org/stable/c/346c820ef5135cf062fa3473da955ef8c5fb6929

https://git.kernel.org/stable/c/44ddd7b1ae0b7edb2c832eb16798c827a05e58f0

https://git.kernel.org/stable/c/47d49fd07f86d1f55ea1083287303d237e9e0922

https://git.kernel.org/stable/c/6bee383ff83352a693d03efdf27cdd80742f71b2

https://git.kernel.org/stable/c/759dfc7d04bab1b0b86113f1164dc1fec192b859

https://git.kernel.org/stable/c/78fcd69d55c5f11d7694c547eca767a1cfd38ec4

https://git.kernel.org/stable/c/d42b71a34f6b8a2d5c53df81169b03b8d8b5cf4e

https://git.kernel.org/stable/c/e8edc7de688791a337c068693f22e8d8b869df71

https://git.kernel.org/stable/c/f324959ad47e62e3cadaffa65d3cff790fb48529