CVE-2025-37894: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: net: use sock_gen_put() when sk_state is TCP_TIME_WAIT It is possible for a pointer of type struct inet_timewait_sock to be returned from the functions __inet_lookup_established() and __inet6_lookup_established(). This can cause a crash when the returned pointer is of type struct inet_timewait_sock and sock_put() is called on it. The following is a crash call stack that shows sk->sk_wmem_alloc being accessed in sk_free() during the call to sock_put() on a struct inet_timewait_sock pointer. To avoid this issue, use sock_gen_put() instead of sock_put() when sk->sk_state is TCP_TIME_WAIT. mrdump.ko ipanic() + 120 vmlinux notifier_call_chain(nr_to_call=-1, nr_calls=0) + 132 vmlinux atomic_notifier_call_chain(val=0) + 56 vmlinux panic() + 344 vmlinux add_taint() + 164 vmlinux end_report() + 136 vmlinux kasan_report(size=0) + 236 vmlinux report_tag_fault() + 16 vmlinux do_tag_recovery() + 16 vmlinux __do_kernel_fault() + 88 vmlinux do_bad_area() + 28 vmlinux do_tag_check_fault() + 60 vmlinux do_mem_abort() + 80 vmlinux el1_abort() + 56 vmlinux el1h_64_sync_handler() + 124 vmlinux > 0xFFFFFFC080011294() vmlinux __lse_atomic_fetch_add_release(v=0xF2FFFF82A896087C) vmlinux __lse_atomic_fetch_sub_release(v=0xF2FFFF82A896087C) vmlinux arch_atomic_fetch_sub_release(i=1, v=0xF2FFFF82A896087C) + 8 vmlinux raw_atomic_fetch_sub_release(i=1, v=0xF2FFFF82A896087C) + 8 vmlinux atomic_fetch_sub_release(i=1, v=0xF2FFFF82A896087C) + 8 vmlinux __refcount_sub_and_test(i=1, r=0xF2FFFF82A896087C, oldp=0) + 8 vmlinux __refcount_dec_and_test(r=0xF2FFFF82A896087C, oldp=0) + 8 vmlinux refcount_dec_and_test(r=0xF2FFFF82A896087C) + 8 vmlinux sk_free(sk=0xF2FFFF82A8960700) + 28 vmlinux sock_put() + 48 vmlinux tcp6_check_fraglist_gro() + 236 vmlinux tcp6_gro_receive() + 624 vmlinux ipv6_gro_receive() + 912 vmlinux dev_gro_receive() + 1116 vmlinux napi_gro_receive() + 196 ccmni.ko ccmni_rx_callback() + 208 ccmni.ko ccmni_queue_recv_skb() + 388 ccci_dpmaif.ko dpmaif_rxq_push_thread() + 1088 vmlinux kthread() + 268 vmlinux 0xFFFFFFC08001F30C()
AI Analysis
Technical Summary
CVE-2025-37894 is a vulnerability identified in the Linux kernel related to improper handling of socket references in the TCP_TIME_WAIT state. The issue arises because functions __inet_lookup_established() and __inet6_lookup_established() can return a pointer of type struct inet_timewait_sock. When this pointer is subsequently passed to sock_put(), it leads to a kernel crash due to improper access of sk->sk_wmem_alloc in the sk_free() function. The root cause is that sock_put() is not appropriate for sockets in the TCP_TIME_WAIT state; instead, sock_gen_put() should be used to safely decrement the reference count without triggering unsafe memory access. The vulnerability can cause a kernel panic and system crash, as demonstrated by the provided call stack showing the sequence of kernel functions leading to the fault. This flaw affects Linux kernel versions identified by the commit hash c9d1d23e5239f41700be69133a5769ac5ebc88a8 and likely other versions with similar socket management code. No known exploits are currently reported in the wild, and no CVSS score has been assigned yet. The vulnerability is primarily a denial-of-service (DoS) vector, where an attacker could potentially trigger a kernel crash by manipulating TCP connections to cause the kernel to mishandle socket references in TIME_WAIT state. This could impact system availability and stability, especially on servers or network devices running vulnerable Linux kernels. The fix involves replacing sock_put() with sock_gen_put() when the socket state is TCP_TIME_WAIT, ensuring safe reference counting and preventing the crash.
Potential Impact
For European organizations, this vulnerability poses a risk primarily to the availability and stability of Linux-based systems, including servers, network appliances, and embedded devices that handle TCP/IP traffic. Exploitation could lead to kernel panics and system reboots, disrupting critical services such as web hosting, cloud infrastructure, telecommunications, and industrial control systems. Organizations relying on Linux for network infrastructure or edge computing could experience downtime, impacting business operations and service delivery. While the vulnerability does not directly expose confidentiality or integrity risks, the resulting denial-of-service could be leveraged as part of a larger attack chain or to cause operational disruption. Given the widespread use of Linux in Europe across public and private sectors, including government, finance, and telecommunications, the impact could be significant if exploited at scale. However, the lack of known exploits and the requirement for specific conditions to trigger the fault somewhat limit immediate risk. Still, unpatched systems remain vulnerable to potential future exploitation attempts.
Mitigation Recommendations
European organizations should promptly apply the patch or update to the Linux kernel that replaces sock_put() with sock_gen_put() for sockets in the TCP_TIME_WAIT state. Since the vulnerability relates to kernel-level socket handling, updating to the latest stable kernel version provided by the Linux distribution vendor is critical. Organizations using custom or embedded Linux kernels should backport the fix or upgrade accordingly. Network administrators should monitor kernel logs for signs of crashes or panics related to socket handling and implement proactive system health checks. Additionally, limiting exposure of vulnerable systems to untrusted networks can reduce the risk of exploitation. Employing network segmentation and firewall rules to restrict unnecessary TCP traffic may help mitigate attack surface. For critical infrastructure, consider deploying kernel live patching solutions to minimize downtime during remediation. Finally, maintain robust incident response plans to quickly address any denial-of-service incidents stemming from this vulnerability.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Italy, Spain, Poland, Belgium
CVE-2025-37894: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: net: use sock_gen_put() when sk_state is TCP_TIME_WAIT It is possible for a pointer of type struct inet_timewait_sock to be returned from the functions __inet_lookup_established() and __inet6_lookup_established(). This can cause a crash when the returned pointer is of type struct inet_timewait_sock and sock_put() is called on it. The following is a crash call stack that shows sk->sk_wmem_alloc being accessed in sk_free() during the call to sock_put() on a struct inet_timewait_sock pointer. To avoid this issue, use sock_gen_put() instead of sock_put() when sk->sk_state is TCP_TIME_WAIT. mrdump.ko ipanic() + 120 vmlinux notifier_call_chain(nr_to_call=-1, nr_calls=0) + 132 vmlinux atomic_notifier_call_chain(val=0) + 56 vmlinux panic() + 344 vmlinux add_taint() + 164 vmlinux end_report() + 136 vmlinux kasan_report(size=0) + 236 vmlinux report_tag_fault() + 16 vmlinux do_tag_recovery() + 16 vmlinux __do_kernel_fault() + 88 vmlinux do_bad_area() + 28 vmlinux do_tag_check_fault() + 60 vmlinux do_mem_abort() + 80 vmlinux el1_abort() + 56 vmlinux el1h_64_sync_handler() + 124 vmlinux > 0xFFFFFFC080011294() vmlinux __lse_atomic_fetch_add_release(v=0xF2FFFF82A896087C) vmlinux __lse_atomic_fetch_sub_release(v=0xF2FFFF82A896087C) vmlinux arch_atomic_fetch_sub_release(i=1, v=0xF2FFFF82A896087C) + 8 vmlinux raw_atomic_fetch_sub_release(i=1, v=0xF2FFFF82A896087C) + 8 vmlinux atomic_fetch_sub_release(i=1, v=0xF2FFFF82A896087C) + 8 vmlinux __refcount_sub_and_test(i=1, r=0xF2FFFF82A896087C, oldp=0) + 8 vmlinux __refcount_dec_and_test(r=0xF2FFFF82A896087C, oldp=0) + 8 vmlinux refcount_dec_and_test(r=0xF2FFFF82A896087C) + 8 vmlinux sk_free(sk=0xF2FFFF82A8960700) + 28 vmlinux sock_put() + 48 vmlinux tcp6_check_fraglist_gro() + 236 vmlinux tcp6_gro_receive() + 624 vmlinux ipv6_gro_receive() + 912 vmlinux dev_gro_receive() + 1116 vmlinux napi_gro_receive() + 196 ccmni.ko ccmni_rx_callback() + 208 ccmni.ko ccmni_queue_recv_skb() + 388 ccci_dpmaif.ko dpmaif_rxq_push_thread() + 1088 vmlinux kthread() + 268 vmlinux 0xFFFFFFC08001F30C()
AI-Powered Analysis
Technical Analysis
CVE-2025-37894 is a vulnerability identified in the Linux kernel related to improper handling of socket references in the TCP_TIME_WAIT state. The issue arises because functions __inet_lookup_established() and __inet6_lookup_established() can return a pointer of type struct inet_timewait_sock. When this pointer is subsequently passed to sock_put(), it leads to a kernel crash due to improper access of sk->sk_wmem_alloc in the sk_free() function. The root cause is that sock_put() is not appropriate for sockets in the TCP_TIME_WAIT state; instead, sock_gen_put() should be used to safely decrement the reference count without triggering unsafe memory access. The vulnerability can cause a kernel panic and system crash, as demonstrated by the provided call stack showing the sequence of kernel functions leading to the fault. This flaw affects Linux kernel versions identified by the commit hash c9d1d23e5239f41700be69133a5769ac5ebc88a8 and likely other versions with similar socket management code. No known exploits are currently reported in the wild, and no CVSS score has been assigned yet. The vulnerability is primarily a denial-of-service (DoS) vector, where an attacker could potentially trigger a kernel crash by manipulating TCP connections to cause the kernel to mishandle socket references in TIME_WAIT state. This could impact system availability and stability, especially on servers or network devices running vulnerable Linux kernels. The fix involves replacing sock_put() with sock_gen_put() when the socket state is TCP_TIME_WAIT, ensuring safe reference counting and preventing the crash.
Potential Impact
For European organizations, this vulnerability poses a risk primarily to the availability and stability of Linux-based systems, including servers, network appliances, and embedded devices that handle TCP/IP traffic. Exploitation could lead to kernel panics and system reboots, disrupting critical services such as web hosting, cloud infrastructure, telecommunications, and industrial control systems. Organizations relying on Linux for network infrastructure or edge computing could experience downtime, impacting business operations and service delivery. While the vulnerability does not directly expose confidentiality or integrity risks, the resulting denial-of-service could be leveraged as part of a larger attack chain or to cause operational disruption. Given the widespread use of Linux in Europe across public and private sectors, including government, finance, and telecommunications, the impact could be significant if exploited at scale. However, the lack of known exploits and the requirement for specific conditions to trigger the fault somewhat limit immediate risk. Still, unpatched systems remain vulnerable to potential future exploitation attempts.
Mitigation Recommendations
European organizations should promptly apply the patch or update to the Linux kernel that replaces sock_put() with sock_gen_put() for sockets in the TCP_TIME_WAIT state. Since the vulnerability relates to kernel-level socket handling, updating to the latest stable kernel version provided by the Linux distribution vendor is critical. Organizations using custom or embedded Linux kernels should backport the fix or upgrade accordingly. Network administrators should monitor kernel logs for signs of crashes or panics related to socket handling and implement proactive system health checks. Additionally, limiting exposure of vulnerable systems to untrusted networks can reduce the risk of exploitation. Employing network segmentation and firewall rules to restrict unnecessary TCP traffic may help mitigate attack surface. For critical infrastructure, consider deploying kernel live patching solutions to minimize downtime during remediation. Finally, maintain robust incident response plans to quickly address any denial-of-service incidents stemming from this vulnerability.
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2025-04-16T04:51:23.964Z
- Cisa Enriched
- false
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682cd0f71484d88663aeaf35
Added to database: 5/20/2025, 6:59:03 PM
Last enriched: 7/4/2025, 1:12:28 AM
Last updated: 8/12/2025, 2:23:31 AM
Views: 18
Related Threats
CVE-2025-53948: CWE-415 Double Free in Santesoft Sante PACS Server
HighCVE-2025-52584: CWE-122 Heap-based Buffer Overflow in Ashlar-Vellum Cobalt
HighCVE-2025-46269: CWE-122 Heap-based Buffer Overflow in Ashlar-Vellum Cobalt
HighCVE-2025-54862: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') in Santesoft Sante PACS Server
MediumCVE-2025-54759: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') in Santesoft Sante PACS Server
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.