{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2025-40281","assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","state":"PUBLISHED","assignerShortName":"Linux","dateReserved":"2025-04-16T07:20:57.184Z","datePublished":"2025-12-06T21:51:05.208Z","dateUpdated":"2026-05-11T21:46:18.993Z"},"containers":{"cna":{"providerMetadata":{"orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux","dateUpdated":"2026-05-11T21:46:18.993Z"},"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nsctp: prevent possible shift-out-of-bounds in sctp_transport_update_rto\n\nsyzbot reported a possible shift-out-of-bounds [1]\n\nBlamed commit added rto_alpha_max and rto_beta_max set to 1000.\n\nIt is unclear if some sctp users are setting very large rto_alpha\nand/or rto_beta.\n\nIn order to prevent user regression, perform the test at run time.\n\nAlso add READ_ONCE() annotations as sysctl values can change under us.\n\n[1]\n\nUBSAN: shift-out-of-bounds in net/sctp/transport.c:509:41\nshift exponent 64 is too large for 32-bit type 'unsigned int'\nCPU: 0 UID: 0 PID: 16704 Comm: syz.2.2320 Not tainted syzkaller #0 PREEMPT(full)\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/02/2025\nCall Trace:\n <TASK>\n  __dump_stack lib/dump_stack.c:94 [inline]\n  dump_stack_lvl+0x16c/0x1f0 lib/dump_stack.c:120\n  ubsan_epilogue lib/ubsan.c:233 [inline]\n  __ubsan_handle_shift_out_of_bounds+0x27f/0x420 lib/ubsan.c:494\n  sctp_transport_update_rto.cold+0x1c/0x34b net/sctp/transport.c:509\n  sctp_check_transmitted+0x11c4/0x1c30 net/sctp/outqueue.c:1502\n  sctp_outq_sack+0x4ef/0x1b20 net/sctp/outqueue.c:1338\n  sctp_cmd_process_sack net/sctp/sm_sideeffect.c:840 [inline]\n  sctp_cmd_interpreter net/sctp/sm_sideeffect.c:1372 [inline]"}],"affected":[{"product":"Linux","vendor":"Linux","defaultStatus":"unaffected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["net/sctp/transport.c"],"versions":[{"version":"b58537a1f5629bdc98a8b9dc2051ce0e952f6b4b","lessThan":"0e0413e3315199b23ff4aec295e256034cd0a6e4","status":"affected","versionType":"git"},{"version":"b58537a1f5629bdc98a8b9dc2051ce0e952f6b4b","lessThan":"834e65be429c0fa4f9bb5945064bd57f18ed2187","status":"affected","versionType":"git"},{"version":"b58537a1f5629bdc98a8b9dc2051ce0e952f6b4b","lessThan":"abb086b9a95d0ed3b757ee59964ba3c4e4b2fc1a","status":"affected","versionType":"git"},{"version":"b58537a1f5629bdc98a8b9dc2051ce0e952f6b4b","lessThan":"d0d858652834dcf531342c82a0428170aa7c2675","status":"affected","versionType":"git"},{"version":"b58537a1f5629bdc98a8b9dc2051ce0e952f6b4b","lessThan":"ed71f801249d2350c77a73dca2c03918a15a62fe","status":"affected","versionType":"git"},{"version":"b58537a1f5629bdc98a8b9dc2051ce0e952f6b4b","lessThan":"1cfa4eac275cc4875755c1303d48a4ddfe507ca8","status":"affected","versionType":"git"},{"version":"b58537a1f5629bdc98a8b9dc2051ce0e952f6b4b","lessThan":"aaba523dd7b6106526c24b1fd9b5fc35e5aaa88d","status":"affected","versionType":"git"},{"version":"b58537a1f5629bdc98a8b9dc2051ce0e952f6b4b","lessThan":"1534ff77757e44bcc4b98d0196bc5c0052fce5fa","status":"affected","versionType":"git"}]},{"product":"Linux","vendor":"Linux","defaultStatus":"affected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["net/sctp/transport.c"],"versions":[{"version":"3.16","status":"affected"},{"version":"0","lessThan":"3.16","status":"unaffected","versionType":"semver"},{"version":"5.4.302","lessThanOrEqual":"5.4.*","status":"unaffected","versionType":"semver"},{"version":"5.10.247","lessThanOrEqual":"5.10.*","status":"unaffected","versionType":"semver"},{"version":"5.15.197","lessThanOrEqual":"5.15.*","status":"unaffected","versionType":"semver"},{"version":"6.1.159","lessThanOrEqual":"6.1.*","status":"unaffected","versionType":"semver"},{"version":"6.6.117","lessThanOrEqual":"6.6.*","status":"unaffected","versionType":"semver"},{"version":"6.12.59","lessThanOrEqual":"6.12.*","status":"unaffected","versionType":"semver"},{"version":"6.17.9","lessThanOrEqual":"6.17.*","status":"unaffected","versionType":"semver"},{"version":"6.18","lessThanOrEqual":"*","status":"unaffected","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"3.16","versionEndExcluding":"5.4.302"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"3.16","versionEndExcluding":"5.10.247"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"3.16","versionEndExcluding":"5.15.197"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"3.16","versionEndExcluding":"6.1.159"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"3.16","versionEndExcluding":"6.6.117"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"3.16","versionEndExcluding":"6.12.59"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"3.16","versionEndExcluding":"6.17.9"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"3.16","versionEndExcluding":"6.18"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/0e0413e3315199b23ff4aec295e256034cd0a6e4"},{"url":"https://git.kernel.org/stable/c/834e65be429c0fa4f9bb5945064bd57f18ed2187"},{"url":"https://git.kernel.org/stable/c/abb086b9a95d0ed3b757ee59964ba3c4e4b2fc1a"},{"url":"https://git.kernel.org/stable/c/d0d858652834dcf531342c82a0428170aa7c2675"},{"url":"https://git.kernel.org/stable/c/ed71f801249d2350c77a73dca2c03918a15a62fe"},{"url":"https://git.kernel.org/stable/c/1cfa4eac275cc4875755c1303d48a4ddfe507ca8"},{"url":"https://git.kernel.org/stable/c/aaba523dd7b6106526c24b1fd9b5fc35e5aaa88d"},{"url":"https://git.kernel.org/stable/c/1534ff77757e44bcc4b98d0196bc5c0052fce5fa"}],"title":"sctp: prevent possible shift-out-of-bounds in sctp_transport_update_rto","x_generator":{"engine":"bippy-1.2.0"}}}}