{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2025-38124","assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","state":"PUBLISHED","assignerShortName":"Linux","dateReserved":"2025-04-16T04:51:23.986Z","datePublished":"2025-07-03T08:35:30.499Z","dateUpdated":"2026-05-12T12:04:33.015Z"},"containers":{"cna":{"providerMetadata":{"orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux","dateUpdated":"2026-05-11T21:21:43.175Z"},"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nnet: fix udp gso skb_segment after pull from frag_list\n\nCommit a1e40ac5b5e9 (\"net: gso: fix udp gso fraglist segmentation after\npull from frag_list\") detected invalid geometry in frag_list skbs and\nredirects them from skb_segment_list to more robust skb_segment. But some\npackets with modified geometry can also hit bugs in that code. We don't\nknow how many such cases exist. Addressing each one by one also requires\ntouching the complex skb_segment code, which risks introducing bugs for\nother types of skbs. Instead, linearize all these packets that fail the\nbasic invariants on gso fraglist skbs. That is more robust.\n\nIf only part of the fraglist payload is pulled into head_skb, it will\nalways cause exception when splitting skbs by skb_segment. For detailed\ncall stack information, see below.\n\nValid SKB_GSO_FRAGLIST skbs\n- consist of two or more segments\n- the head_skb holds the protocol headers plus first gso_size\n- one or more frag_list skbs hold exactly one segment\n- all but the last must be gso_size\n\nOptional datapath hooks such as NAT and BPF (bpf_skb_pull_data) can\nmodify fraglist skbs, breaking these invariants.\n\nIn extreme cases they pull one part of data into skb linear. For UDP,\nthis  causes three payloads with lengths of (11,11,10) bytes were\npulled tail to become (12,10,10) bytes.\n\nThe skbs no longer meets the above SKB_GSO_FRAGLIST conditions because\npayload was pulled into head_skb, it needs to be linearized before pass\nto regular skb_segment.\n\n    skb_segment+0xcd0/0xd14\n    __udp_gso_segment+0x334/0x5f4\n    udp4_ufo_fragment+0x118/0x15c\n    inet_gso_segment+0x164/0x338\n    skb_mac_gso_segment+0xc4/0x13c\n    __skb_gso_segment+0xc4/0x124\n    validate_xmit_skb+0x9c/0x2c0\n    validate_xmit_skb_list+0x4c/0x80\n    sch_direct_xmit+0x70/0x404\n    __dev_queue_xmit+0x64c/0xe5c\n    neigh_resolve_output+0x178/0x1c4\n    ip_finish_output2+0x37c/0x47c\n    __ip_finish_output+0x194/0x240\n    ip_finish_output+0x20/0xf4\n    ip_output+0x100/0x1a0\n    NF_HOOK+0xc4/0x16c\n    ip_forward+0x314/0x32c\n    ip_rcv+0x90/0x118\n    __netif_receive_skb+0x74/0x124\n    process_backlog+0xe8/0x1a4\n    __napi_poll+0x5c/0x1f8\n    net_rx_action+0x154/0x314\n    handle_softirqs+0x154/0x4b8\n\n    [118.376811] [C201134] rxq0_pus: [name:bug&]kernel BUG at net/core/skbuff.c:4278!\n    [118.376829] [C201134] rxq0_pus: [name:traps&]Internal error: Oops - BUG: 00000000f2000800 [#1] PREEMPT SMP\n    [118.470774] [C201134] rxq0_pus: [name:mrdump&]Kernel Offset: 0x178cc00000 from 0xffffffc008000000\n    [118.470810] [C201134] rxq0_pus: [name:mrdump&]PHYS_OFFSET: 0x40000000\n    [118.470827] [C201134] rxq0_pus: [name:mrdump&]pstate: 60400005 (nZCv daif +PAN -UAO)\n    [118.470848] [C201134] rxq0_pus: [name:mrdump&]pc : [0xffffffd79598aefc] skb_segment+0xcd0/0xd14\n    [118.470900] [C201134] rxq0_pus: [name:mrdump&]lr : [0xffffffd79598a5e8] skb_segment+0x3bc/0xd14\n    [118.470928] [C201134] rxq0_pus: [name:mrdump&]sp : ffffffc008013770"}],"affected":[{"product":"Linux","vendor":"Linux","defaultStatus":"unaffected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["net/ipv4/udp_offload.c"],"versions":[{"version":"080e6c9a3908de193a48f646c5ce1bfb15676ffc","lessThan":"0e65f38bd1aa14ea86e221b7bb814d38278d86c3","status":"affected","versionType":"git"},{"version":"af3122f5fdc0d00581d6e598a668df6bf54c9daa","lessThan":"85eef1748c024da1a191aed56b30a3a65958c50c","status":"affected","versionType":"git"},{"version":"a1e40ac5b5e9077fe1f7ae0eb88034db0f9ae1ab","lessThan":"4399f59a9467a324ed46657555f0e1f209a14acb","status":"affected","versionType":"git"},{"version":"a1e40ac5b5e9077fe1f7ae0eb88034db0f9ae1ab","lessThan":"a04302867094bdc6efac1b598370fc47cf3f2388","status":"affected","versionType":"git"},{"version":"a1e40ac5b5e9077fe1f7ae0eb88034db0f9ae1ab","lessThan":"3382a1ed7f778db841063f5d7e317ac55f9e7f72","status":"affected","versionType":"git"},{"version":"33e28acf42ee863f332a958bfc2f1a284a3659df","status":"affected","versionType":"git"},{"version":"3cd00d2e3655fad3bda96dc1ebf17b6495f86fea","status":"affected","versionType":"git"}]},{"product":"Linux","vendor":"Linux","defaultStatus":"affected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["net/ipv4/udp_offload.c"],"versions":[{"version":"6.12","status":"affected"},{"version":"0","lessThan":"6.12","status":"unaffected","versionType":"semver"},{"version":"6.1.142","lessThanOrEqual":"6.1.*","status":"unaffected","versionType":"semver"},{"version":"6.6.94","lessThanOrEqual":"6.6.*","status":"unaffected","versionType":"semver"},{"version":"6.12.34","lessThanOrEqual":"6.12.*","status":"unaffected","versionType":"semver"},{"version":"6.15.3","lessThanOrEqual":"6.15.*","status":"unaffected","versionType":"semver"},{"version":"6.16","lessThanOrEqual":"*","status":"unaffected","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.1.113","versionEndExcluding":"6.1.142"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.6.55","versionEndExcluding":"6.6.94"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.12","versionEndExcluding":"6.12.34"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.12","versionEndExcluding":"6.15.3"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.12","versionEndExcluding":"6.16"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.10.14"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.11.3"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/0e65f38bd1aa14ea86e221b7bb814d38278d86c3"},{"url":"https://git.kernel.org/stable/c/85eef1748c024da1a191aed56b30a3a65958c50c"},{"url":"https://git.kernel.org/stable/c/4399f59a9467a324ed46657555f0e1f209a14acb"},{"url":"https://git.kernel.org/stable/c/a04302867094bdc6efac1b598370fc47cf3f2388"},{"url":"https://git.kernel.org/stable/c/3382a1ed7f778db841063f5d7e317ac55f9e7f72"}],"title":"net: fix udp gso skb_segment after pull from frag_list","x_generator":{"engine":"bippy-1.2.0"}},"adp":[{"title":"CVE Program Container","references":[{"url":"https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"}],"providerMetadata":{"orgId":"af854a3a-2127-422b-91ae-364da2661108","shortName":"CVE","dateUpdated":"2025-11-03T17:34:23.227Z"}},{"x_adpType":"supplier","providerMetadata":{"orgId":"0b142b55-0307-4c5a-b3c9-f314f3fb7c5e","shortName":"siemens-SADP","dateUpdated":"2026-05-12T12:04:33.015Z"},"affected":[{"vendor":"Siemens","product":"SIMATIC S7-1500 CPU 1518-4 PN/DP MFP","versions":[{"status":"affected","version":"V3.1.5","lessThan":"*","versionType":"custom"}],"defaultStatus":"unknown"},{"vendor":"Siemens","product":"SIMATIC S7-1500 CPU 1518-4 PN/DP MFP","versions":[{"status":"affected","version":"V3.1.5","lessThan":"*","versionType":"custom"}],"defaultStatus":"unknown"},{"vendor":"Siemens","product":"SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP","versions":[{"status":"affected","version":"V3.1.5","lessThan":"*","versionType":"custom"}],"defaultStatus":"unknown"},{"vendor":"Siemens","product":"SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP","versions":[{"status":"affected","version":"V3.1.5","lessThan":"*","versionType":"custom"}],"defaultStatus":"unknown"},{"vendor":"Siemens","product":"SIPLUS S7-1500 CPU 1518-4 PN/DP MFP","versions":[{"status":"affected","version":"V3.1.5","lessThan":"*","versionType":"custom"}],"defaultStatus":"unknown"}],"references":[{"url":"https://cert-portal.siemens.com/productcert/html/ssa-082556.html"}]}]}}