CVE-2025-39950
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-10-04

Last updated on: 2025-10-06

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: net/tcp: Fix a NULL pointer dereference when using TCP-AO with TCP_REPAIR A NULL pointer dereference can occur in tcp_ao_finish_connect() during a connect() system call on a socket with a TCP-AO key added and TCP_REPAIR enabled. The function is called with skb being NULL and attempts to dereference it on tcp_hdr(skb)->seq without a prior skb validation. Fix this by checking if skb is NULL before dereferencing it. The commentary is taken from bpf_skops_established(), which is also called in the same flow. Unlike the function being patched, bpf_skops_established() validates the skb before dereferencing it. int main(void){ struct sockaddr_in sockaddr; struct tcp_ao_add tcp_ao; int sk; int one = 1; memset(&sockaddr,'\0',sizeof(sockaddr)); memset(&tcp_ao,'\0',sizeof(tcp_ao)); sk = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP); sockaddr.sin_family = AF_INET; memcpy(tcp_ao.alg_name,"cmac(aes128)",12); memcpy(tcp_ao.key,"ABCDEFGHABCDEFGH",16); tcp_ao.keylen = 16; memcpy(&tcp_ao.addr,&sockaddr,sizeof(sockaddr)); setsockopt(sk, IPPROTO_TCP, TCP_AO_ADD_KEY, &tcp_ao, sizeof(tcp_ao)); setsockopt(sk, IPPROTO_TCP, TCP_REPAIR, &one, sizeof(one)); sockaddr.sin_family = AF_INET; sockaddr.sin_port = htobe16(123); inet_aton("127.0.0.1", &sockaddr.sin_addr); connect(sk,(struct sockaddr *)&sockaddr,sizeof(sockaddr)); return 0; } $ gcc tcp-ao-nullptr.c -o tcp-ao-nullptr -Wall $ unshare -Urn BUG: kernel NULL pointer dereference, address: 00000000000000b6 PGD 1f648d067 P4D 1f648d067 PUD 1982e8067 PMD 0 Oops: Oops: 0000 [#1] SMP NOPTI Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 11/12/2020 RIP: 0010:tcp_ao_finish_connect (net/ipv4/tcp_ao.c:1182)
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-10-04
Last Modified
2025-10-06
Generated
2026-05-07
AI Q&A
2025-10-04
EPSS Evaluated
2026-05-05
NVD
CVE-2025-39950
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
linux linux_kernel From 5.15.160 (inc) to 5.16 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability is a NULL pointer dereference in the Linux kernel's TCP-AO implementation when used with TCP_REPAIR. Specifically, during a connect() system call on a socket that has a TCP-AO key added and TCP_REPAIR enabled, the function tcp_ao_finish_connect() attempts to dereference a NULL skb pointer without checking if it is NULL first. This causes a kernel crash (NULL pointer dereference). The issue arises because skb is not validated before being dereferenced, unlike in a similar function bpf_skops_established() which performs this validation.


How can this vulnerability impact me? :

This vulnerability can cause a kernel crash due to a NULL pointer dereference when using TCP-AO with TCP_REPAIR enabled. This can lead to denial of service (DoS) on the affected system, potentially causing system instability or downtime.


How can this vulnerability be detected on my network or system? Can you suggest some commands?

This vulnerability can be detected by attempting to reproduce the NULL pointer dereference condition using a test program that creates a socket, adds a TCP-AO key, enables TCP_REPAIR, and then performs a connect() call. The provided example code demonstrates this approach. Running this test on a vulnerable kernel will cause a kernel NULL pointer dereference and an Oops message in the kernel logs. Monitoring kernel logs (e.g., using dmesg) for such Oops messages related to tcp_ao_finish_connect can also help detect the issue.


What immediate steps should I take to mitigate this vulnerability?

Immediate mitigation steps include avoiding the use of TCP-AO keys in combination with TCP_REPAIR on affected Linux kernel versions until a patch is applied. Updating the Linux kernel to a version where the fix is implemented, which includes a NULL check for skb before dereferencing it in tcp_ao_finish_connect(), is the recommended permanent solution.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart