{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2025-38154","assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","state":"PUBLISHED","assignerShortName":"Linux","dateReserved":"2025-04-16T04:51:23.990Z","datePublished":"2025-07-03T08:35:57.188Z","dateUpdated":"2026-05-11T21:22:18.340Z"},"containers":{"cna":{"providerMetadata":{"orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux","dateUpdated":"2026-05-11T21:22:18.340Z"},"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nbpf, sockmap: Avoid using sk_socket after free when sending\n\nThe sk->sk_socket is not locked or referenced in backlog thread, and\nduring the call to skb_send_sock(), there is a race condition with\nthe release of sk_socket. All types of sockets(tcp/udp/unix/vsock)\nwill be affected.\n\nRace conditions:\n'''\nCPU0                               CPU1\n\nbacklog::skb_send_sock\n  sendmsg_unlocked\n    sock_sendmsg\n      sock_sendmsg_nosec\n                                   close(fd):\n                                     ...\n                                     ops->release() -> sock_map_close()\n                                     sk_socket->ops = NULL\n                                     free(socket)\n      sock->ops->sendmsg\n            ^\n            panic here\n'''\n\nThe ref of psock become 0 after sock_map_close() executed.\n'''\nvoid sock_map_close()\n{\n    ...\n    if (likely(psock)) {\n    ...\n    // !! here we remove psock and the ref of psock become 0\n    sock_map_remove_links(sk, psock)\n    psock = sk_psock_get(sk);\n    if (unlikely(!psock))\n        goto no_psock; <=== Control jumps here via goto\n        ...\n        cancel_delayed_work_sync(&psock->work); <=== not executed\n        sk_psock_put(sk, psock);\n        ...\n}\n'''\n\nBased on the fact that we already wait for the workqueue to finish in\nsock_map_close() if psock is held, we simply increase the psock\nreference count to avoid race conditions.\n\nWith this patch, if the backlog thread is running, sock_map_close() will\nwait for the backlog thread to complete and cancel all pending work.\n\nIf no backlog running, any pending work that hasn't started by then will\nfail when invoked by sk_psock_get(), as the psock reference count have\nbeen zeroed, and sk_psock_drop() will cancel all jobs via\ncancel_delayed_work_sync().\n\nIn summary, we require synchronization to coordinate the backlog thread\nand close() thread.\n\nThe panic I catched:\n'''\nWorkqueue: events sk_psock_backlog\nRIP: 0010:sock_sendmsg+0x21d/0x440\nRAX: 0000000000000000 RBX: ffffc9000521fad8 RCX: 0000000000000001\n...\nCall Trace:\n <TASK>\n ? die_addr+0x40/0xa0\n ? exc_general_protection+0x14c/0x230\n ? asm_exc_general_protection+0x26/0x30\n ? sock_sendmsg+0x21d/0x440\n ? sock_sendmsg+0x3e0/0x440\n ? __pfx_sock_sendmsg+0x10/0x10\n __skb_send_sock+0x543/0xb70\n sk_psock_backlog+0x247/0xb80\n...\n'''"}],"affected":[{"product":"Linux","vendor":"Linux","defaultStatus":"unaffected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["net/core/skmsg.c"],"versions":[{"version":"4959ffc65a0e94f8acaac20deac49f89e6ded52d","lessThan":"4edb40b05cb6a261775abfd8046804ca139a5546","status":"affected","versionType":"git"},{"version":"5eabdf17fed2ad41b836bb4055ec36d95e512c50","lessThan":"b19cbf0b9a91f5a0d93fbcd761ff71c48ab40ed9","status":"affected","versionType":"git"},{"version":"e946428439a0d2079959f5603256ac51b6047017","lessThan":"4c6fa65ab2aec7df94809478c8d28ef38676a1b7","status":"affected","versionType":"git"},{"version":"4b4647add7d3c8530493f7247d11e257ee425bf0","lessThan":"15c0250dae3b48a398447d2b364603821ed4ed90","status":"affected","versionType":"git"},{"version":"4b4647add7d3c8530493f7247d11e257ee425bf0","lessThan":"7c0a16f6ea2b1c82a03bccd5d1bdb4a7bbd4d987","status":"affected","versionType":"git"},{"version":"4b4647add7d3c8530493f7247d11e257ee425bf0","lessThan":"8259eb0e06d8f64c700f5fbdb28a5c18e10de291","status":"affected","versionType":"git"},{"version":"3627605de498639a3c586c8684d12c89cba11073","status":"affected","versionType":"git"}]},{"product":"Linux","vendor":"Linux","defaultStatus":"affected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["net/core/skmsg.c"],"versions":[{"version":"6.10","status":"affected"},{"version":"0","lessThan":"6.10","status":"unaffected","versionType":"semver"},{"version":"5.15.186","lessThanOrEqual":"5.15.*","status":"unaffected","versionType":"semver"},{"version":"6.1.142","lessThanOrEqual":"6.1.*","status":"unaffected","versionType":"semver"},{"version":"6.6.94","lessThanOrEqual":"6.6.*","status":"unaffected","versionType":"semver"},{"version":"6.12.34","lessThanOrEqual":"6.12.*","status":"unaffected","versionType":"semver"},{"version":"6.15.3","lessThanOrEqual":"6.15.*","status":"unaffected","versionType":"semver"},{"version":"6.16","lessThanOrEqual":"*","status":"unaffected","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.15.162","versionEndExcluding":"5.15.186"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.1.95","versionEndExcluding":"6.1.142"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.6.35","versionEndExcluding":"6.6.94"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.10","versionEndExcluding":"6.12.34"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.10","versionEndExcluding":"6.15.3"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.10","versionEndExcluding":"6.16"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.9.6"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/4edb40b05cb6a261775abfd8046804ca139a5546"},{"url":"https://git.kernel.org/stable/c/b19cbf0b9a91f5a0d93fbcd761ff71c48ab40ed9"},{"url":"https://git.kernel.org/stable/c/4c6fa65ab2aec7df94809478c8d28ef38676a1b7"},{"url":"https://git.kernel.org/stable/c/15c0250dae3b48a398447d2b364603821ed4ed90"},{"url":"https://git.kernel.org/stable/c/7c0a16f6ea2b1c82a03bccd5d1bdb4a7bbd4d987"},{"url":"https://git.kernel.org/stable/c/8259eb0e06d8f64c700f5fbdb28a5c18e10de291"}],"title":"bpf, sockmap: Avoid using sk_socket after free when sending","x_generator":{"engine":"bippy-1.2.0"}},"adp":[{"title":"CVE Program Container","references":[{"url":"https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"}],"providerMetadata":{"orgId":"af854a3a-2127-422b-91ae-364da2661108","shortName":"CVE","dateUpdated":"2025-11-03T17:34:44.423Z"}}]}}