CVE-2025-23142

sctp: detect and prevent references to a freed transport in sendmsg

Severity Score

"-"

*CVSS v-

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

In the Linux kernel, the following vulnerability has been resolved: sctp: detect and prevent references to a freed transport in sendmsg sctp_sendmsg() re-uses associations and transports when possible by
doing a lookup based on the socket endpoint and the message destination
address, and then sctp_sendmsg_to_asoc() sets the selected transport in
all the message chunks to be sent. There's a possible race condition if another thread triggers the removal
of that selected transport, for instance, by explicitly unbinding an
address with setsockopt(SCTP_SOCKOPT_BINDX_REM), after the chunks have
been set up and before the message is sent. This can happen if the send
buffer is full, during the period when the sender thread temporarily
releases the socket lock in sctp_wait_for_sndbuf(). This causes the access to the transport data in
sctp_outq_select_transport(), when the association outqueue is flushed,
to result in a use-after-free read. This change avoids this scenario by having sctp_transport_free() signal
the freeing of the transport, tagging it as "dead". In order to do this,
the patch restores the "dead" bit in struct sctp_transport, which was
removed in
commit 47faa1e4c50e ("sctp: remove the dead field of sctp_transport"). Then, in the scenario where the sender thread has released the socket
lock in sctp_wait_for_sndbuf(), the bit is checked again after
re-acquiring the socket lock to detect the deletion. This is done while
holding a reference to the transport to prevent it from being freed in
the process. If the transport was deleted while the socket lock was relinquished,
sctp_sendmsg_to_asoc() will return -EAGAIN to let userspace retry the
send. The bug was found by a private syzbot instance (see the error report [1]
and the C reproducer that triggers it [2]).

*Credits: N/A

CVSS Scores

Attack Vector

Attack Complexity

Privileges Required

User Interaction

Scope

Confidentiality

Integrity

Availability

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2025-01-11 CVE Reserved
2025-05-01 CVE Published
2025-05-01 CVE Updated
---------- EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CAPEC

References (12)

URL	Tag	Source
https://git.kernel.org/stable/c/df132eff463873e14e019a07f387b4d577d6d1f9	Vuln. Introduced
https://git.kernel.org/stable/c/26e51e5287eed4d96ea66a3da95429f42940f013	Vuln. Introduced
https://git.kernel.org/stable/c/8b97e045bd6d37f96f161e4d371ae174148e1587	Vuln. Introduced
https://git.kernel.org/stable/c/e044554e97e812eb257d073bcc130e0ea653858f	Vuln. Introduced
https://git.kernel.org/stable/c/8376fdc999be008f0e9918db52f1ed8c08f5a1c9	Vuln. Introduced
https://git.kernel.org/stable/c/cd947138e8c31e8cfcd489c12e9b97271beb6e79	Vuln. Introduced

URL	Date	SRC

URL	Date	SRC
https://git.kernel.org/stable/c/7a63f4fb0efb4e69efd990cbb740a848679ec4b0	2025-04-25
https://git.kernel.org/stable/c/c6fefcb71d246baaf3bacdad1af7ff50ebcfe652	2025-04-25
https://git.kernel.org/stable/c/9e7c37fadb3be1fc33073fcf10aa96d166caa697	2025-04-20
https://git.kernel.org/stable/c/5bc83bdf5f5b8010d1ca5a4555537e62413ab4e2	2025-04-20
https://git.kernel.org/stable/c/2e5068b7e0ae0a54f6cfd03a2f80977da657f1ee	2025-04-20
https://git.kernel.org/stable/c/f1a69a940de58b16e8249dff26f74c8cc59b32be	2025-04-08

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 4.20 < 6.1.135 Search vendor "Linux" for product "Linux Kernel" and version " >= 4.20 < 6.1.135"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 4.20 < 6.6.88 Search vendor "Linux" for product "Linux Kernel" and version " >= 4.20 < 6.6.88"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 4.20 < 6.12.24 Search vendor "Linux" for product "Linux Kernel" and version " >= 4.20 < 6.12.24"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 4.20 < 6.13.12 Search vendor "Linux" for product "Linux Kernel" and version " >= 4.20 < 6.13.12"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 4.20 < 6.14.3 Search vendor "Linux" for product "Linux Kernel" and version " >= 4.20 < 6.14.3"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 4.20 < 6.15-rc2 Search vendor "Linux" for product "Linux Kernel" and version " >= 4.20 < 6.15-rc2"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				3.18.128 Search vendor "Linux" for product "Linux Kernel" and version "3.18.128"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				4.4.166 Search vendor "Linux" for product "Linux Kernel" and version "4.4.166"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				4.9.142 Search vendor "Linux" for product "Linux Kernel" and version "4.9.142"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				4.14.85 Search vendor "Linux" for product "Linux Kernel" and version "4.14.85"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				4.19.6 Search vendor "Linux" for product "Linux Kernel" and version "4.19.6"		en		Affected