{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2025-38734","assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","state":"PUBLISHED","assignerShortName":"Linux","dateReserved":"2025-04-16T04:51:24.034Z","datePublished":"2025-09-05T17:20:34.126Z","dateUpdated":"2026-05-11T21:33:57.241Z"},"containers":{"cna":{"providerMetadata":{"orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux","dateUpdated":"2026-05-11T21:33:57.241Z"},"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nnet/smc: fix UAF on smcsk after smc_listen_out()\n\nBPF CI testing report a UAF issue:\n\n  [   16.446633] BUG: kernel NULL pointer dereference, address: 000000000000003  0\n  [   16.447134] #PF: supervisor read access in kernel mod  e\n  [   16.447516] #PF: error_code(0x0000) - not-present pag  e\n  [   16.447878] PGD 0 P4D   0\n  [   16.448063] Oops: Oops: 0000 [#1] PREEMPT SMP NOPT  I\n  [   16.448409] CPU: 0 UID: 0 PID: 9 Comm: kworker/0:1 Tainted: G           OE      6.13.0-rc3-g89e8a75fda73-dirty #4  2\n  [   16.449124] Tainted: [O]=OOT_MODULE, [E]=UNSIGNED_MODUL  E\n  [   16.449502] Hardware name: QEMU Ubuntu 24.04 PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/201  4\n  [   16.450201] Workqueue: smc_hs_wq smc_listen_wor  k\n  [   16.450531] RIP: 0010:smc_listen_work+0xc02/0x159  0\n  [   16.452158] RSP: 0018:ffffb5ab40053d98 EFLAGS: 0001024  6\n  [   16.452526] RAX: 0000000000000001 RBX: 0000000000000002 RCX: 000000000000030  0\n  [   16.452994] RDX: 0000000000000280 RSI: 00003513840053f0 RDI: 000000000000000  0\n  [   16.453492] RBP: ffffa097808e3800 R08: ffffa09782dba1e0 R09: 000000000000000  5\n  [   16.453987] R10: 0000000000000000 R11: 0000000000000000 R12: ffffa0978274640  0\n  [   16.454497] R13: 0000000000000000 R14: 0000000000000000 R15: ffffa09782d4092  0\n  [   16.454996] FS:  0000000000000000(0000) GS:ffffa097bbc00000(0000) knlGS:000000000000000  0\n  [   16.455557] CS:  0010 DS: 0000 ES: 0000 CR0: 000000008005003  3\n  [   16.455961] CR2: 0000000000000030 CR3: 0000000102788004 CR4: 0000000000770ef  0\n  [   16.456459] PKRU: 5555555  4\n  [   16.456654] Call Trace  :\n  [   16.456832]  <TASK  >\n  [   16.456989]  ? __die+0x23/0x7  0\n  [   16.457215]  ? page_fault_oops+0x180/0x4c  0\n  [   16.457508]  ? __lock_acquire+0x3e6/0x249  0\n  [   16.457801]  ? exc_page_fault+0x68/0x20  0\n  [   16.458080]  ? asm_exc_page_fault+0x26/0x3  0\n  [   16.458389]  ? smc_listen_work+0xc02/0x159  0\n  [   16.458689]  ? smc_listen_work+0xc02/0x159  0\n  [   16.458987]  ? lock_is_held_type+0x8f/0x10  0\n  [   16.459284]  process_one_work+0x1ea/0x6d  0\n  [   16.459570]  worker_thread+0x1c3/0x38  0\n  [   16.459839]  ? __pfx_worker_thread+0x10/0x1  0\n  [   16.460144]  kthread+0xe0/0x11  0\n  [   16.460372]  ? __pfx_kthread+0x10/0x1  0\n  [   16.460640]  ret_from_fork+0x31/0x5  0\n  [   16.460896]  ? __pfx_kthread+0x10/0x1  0\n  [   16.461166]  ret_from_fork_asm+0x1a/0x3  0\n  [   16.461453]  </TASK  >\n  [   16.461616] Modules linked in: bpf_testmod(OE) [last unloaded: bpf_testmod(OE)  ]\n  [   16.462134] CR2: 000000000000003  0\n  [   16.462380] ---[ end trace 0000000000000000 ]---\n  [   16.462710] RIP: 0010:smc_listen_work+0xc02/0x1590\n\nThe direct cause of this issue is that after smc_listen_out_connected(),\nnewclcsock->sk may be NULL since it will releases the smcsk. Therefore,\nif the application closes the socket immediately after accept,\nnewclcsock->sk can be NULL. A possible execution order could be as\nfollows:\n\nsmc_listen_work                                 | userspace\n-----------------------------------------------------------------\nlock_sock(sk)                                   |\nsmc_listen_out_connected()                      |\n| \\- smc_listen_out                             |\n|    | \\- release_sock                          |\n     | |- sk->sk_data_ready()                   |\n                                                | fd = accept();\n                                                | close(fd);\n                                                |  \\- socket->sk = NULL;\n/* newclcsock->sk is NULL now */\nSMC_STAT_SERV_SUCC_INC(sock_net(newclcsock->sk))\n\nSince smc_listen_out_connected() will not fail, simply swapping the order\nof the code can easily fix this issue."}],"affected":[{"product":"Linux","vendor":"Linux","defaultStatus":"unaffected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["net/smc/af_smc.c"],"versions":[{"version":"3b2dec2603d5b06ad3af71c1164ca0b92df3d2a8","lessThan":"070b4af44c4b6e4c35fb1ca7001a6a88fd2d318f","status":"affected","versionType":"git"},{"version":"3b2dec2603d5b06ad3af71c1164ca0b92df3d2a8","lessThan":"2e765ba0ee0eae35688b443e97108308a716773e","status":"affected","versionType":"git"},{"version":"3b2dec2603d5b06ad3af71c1164ca0b92df3d2a8","lessThan":"85545f1525f9fa9bf44fec77ba011024f15da342","status":"affected","versionType":"git"},{"version":"3b2dec2603d5b06ad3af71c1164ca0b92df3d2a8","lessThan":"d9cef55ed49117bd63695446fb84b4b91815c0b4","status":"affected","versionType":"git"}]},{"product":"Linux","vendor":"Linux","defaultStatus":"affected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["net/smc/af_smc.c"],"versions":[{"version":"4.18","status":"affected"},{"version":"0","lessThan":"4.18","status":"unaffected","versionType":"semver"},{"version":"6.6.103","lessThanOrEqual":"6.6.*","status":"unaffected","versionType":"semver"},{"version":"6.12.44","lessThanOrEqual":"6.12.*","status":"unaffected","versionType":"semver"},{"version":"6.16.4","lessThanOrEqual":"6.16.*","status":"unaffected","versionType":"semver"},{"version":"6.17","lessThanOrEqual":"*","status":"unaffected","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.18","versionEndExcluding":"6.6.103"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.18","versionEndExcluding":"6.12.44"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.18","versionEndExcluding":"6.16.4"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.18","versionEndExcluding":"6.17"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/070b4af44c4b6e4c35fb1ca7001a6a88fd2d318f"},{"url":"https://git.kernel.org/stable/c/2e765ba0ee0eae35688b443e97108308a716773e"},{"url":"https://git.kernel.org/stable/c/85545f1525f9fa9bf44fec77ba011024f15da342"},{"url":"https://git.kernel.org/stable/c/d9cef55ed49117bd63695446fb84b4b91815c0b4"}],"title":"net/smc: fix UAF on smcsk after smc_listen_out()","x_generator":{"engine":"bippy-1.2.0"}}}}