{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2025-39965","assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","state":"PUBLISHED","assignerShortName":"Linux","dateReserved":"2025-04-16T07:20:57.149Z","datePublished":"2025-10-13T13:48:31.033Z","dateUpdated":"2026-05-11T21:39:51.136Z"},"containers":{"cna":{"providerMetadata":{"orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux","dateUpdated":"2026-05-11T21:39:51.136Z"},"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nxfrm: xfrm_alloc_spi shouldn't use 0 as SPI\n\nx->id.spi == 0 means \"no SPI assigned\", but since commit\n94f39804d891 (\"xfrm: Duplicate SPI Handling\"), we now create states\nand add them to the byspi list with this value.\n\n__xfrm_state_delete doesn't remove those states from the byspi list,\nsince they shouldn't be there, and this shows up as a UAF the next\ntime we go through the byspi list."}],"affected":[{"product":"Linux","vendor":"Linux","defaultStatus":"unaffected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["net/xfrm/xfrm_state.c"],"versions":[{"version":"3d8090bb53424432fa788fe9a49e8ceca74f0544","lessThan":"0baf92d0b1590b903c1f4ead75e61715e50e8146","status":"affected","versionType":"git"},{"version":"2fc5b54368a1bf1d2d74b4d3b8eea5309a653e38","lessThan":"9fcedabaae0096f712bbb4ccca6a8538af1cd1c8","status":"affected","versionType":"git"},{"version":"29e9158f91f99057dbd35db5e8674d93b38549fe","lessThan":"a78e55776522373c446f18d5002a8de4b09e6bf7","status":"affected","versionType":"git"},{"version":"94f39804d891cffe4ce17737d295f3b195bc7299","lessThan":"cd8ae32e4e4652db55bce6b9c79267d8946765a9","status":"affected","versionType":"git"},{"version":"c67d4e7a8f90fb6361ca89d4d5c9a28f4e935e47","status":"affected","versionType":"git"}]},{"product":"Linux","vendor":"Linux","defaultStatus":"unaffected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["net/xfrm/xfrm_state.c"],"versions":[{"version":"6.6.103","lessThan":"6.6.109","status":"affected","versionType":"semver"},{"version":"6.12.43","lessThan":"6.12.50","status":"affected","versionType":"semver"},{"version":"6.16.2","lessThan":"6.16.10","status":"affected","versionType":"semver"}]}],"cpeApplicability":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.6.103","versionEndExcluding":"6.6.109"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.12.43","versionEndExcluding":"6.12.50"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.16.2","versionEndExcluding":"6.16.10"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.15.11"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/0baf92d0b1590b903c1f4ead75e61715e50e8146"},{"url":"https://git.kernel.org/stable/c/9fcedabaae0096f712bbb4ccca6a8538af1cd1c8"},{"url":"https://git.kernel.org/stable/c/a78e55776522373c446f18d5002a8de4b09e6bf7"},{"url":"https://git.kernel.org/stable/c/cd8ae32e4e4652db55bce6b9c79267d8946765a9"}],"title":"xfrm: xfrm_alloc_spi shouldn't use 0 as SPI","x_generator":{"engine":"bippy-1.2.0"}}}}