{
  "threat_severity" : "Moderate",
  "public_date" : "2025-07-03T00:00:00Z",
  "bugzilla" : {
    "description" : "kernel: net: fix udp gso skb_segment after pull from frag_list",
    "id" : "2376041",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2376041"
  },
  "cvss3" : {
    "cvss3_base_score" : "7.0",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
    "status" : "verified"
  },
  "cwe" : "CWE-704",
  "details" : [ "In the Linux kernel, the following vulnerability has been resolved:\nnet: fix udp gso skb_segment after pull from frag_list\nCommit a1e40ac5b5e9 (\"net: gso: fix udp gso fraglist segmentation after\npull from frag_list\") detected invalid geometry in frag_list skbs and\nredirects them from skb_segment_list to more robust skb_segment. But some\npackets with modified geometry can also hit bugs in that code. We don't\nknow how many such cases exist. Addressing each one by one also requires\ntouching the complex skb_segment code, which risks introducing bugs for\nother types of skbs. Instead, linearize all these packets that fail the\nbasic invariants on gso fraglist skbs. That is more robust.\nIf only part of the fraglist payload is pulled into head_skb, it will\nalways cause exception when splitting skbs by skb_segment. For detailed\ncall stack information, see below.\nValid SKB_GSO_FRAGLIST skbs\n- consist of two or more segments\n- the head_skb holds the protocol headers plus first gso_size\n- one or more frag_list skbs hold exactly one segment\n- all but the last must be gso_size\nOptional datapath hooks such as NAT and BPF (bpf_skb_pull_data) can\nmodify fraglist skbs, breaking these invariants.\nIn extreme cases they pull one part of data into skb linear. For UDP,\nthis  causes three payloads with lengths of (11,11,10) bytes were\npulled tail to become (12,10,10) bytes.\nThe skbs no longer meets the above SKB_GSO_FRAGLIST conditions because\npayload was pulled into head_skb, it needs to be linearized before pass\nto regular skb_segment.\nskb_segment+0xcd0/0xd14\n__udp_gso_segment+0x334/0x5f4\nudp4_ufo_fragment+0x118/0x15c\ninet_gso_segment+0x164/0x338\nskb_mac_gso_segment+0xc4/0x13c\n__skb_gso_segment+0xc4/0x124\nvalidate_xmit_skb+0x9c/0x2c0\nvalidate_xmit_skb_list+0x4c/0x80\nsch_direct_xmit+0x70/0x404\n__dev_queue_xmit+0x64c/0xe5c\nneigh_resolve_output+0x178/0x1c4\nip_finish_output2+0x37c/0x47c\n__ip_finish_output+0x194/0x240\nip_finish_output+0x20/0xf4\nip_output+0x100/0x1a0\nNF_HOOK+0xc4/0x16c\nip_forward+0x314/0x32c\nip_rcv+0x90/0x118\n__netif_receive_skb+0x74/0x124\nprocess_backlog+0xe8/0x1a4\n__napi_poll+0x5c/0x1f8\nnet_rx_action+0x154/0x314\nhandle_softirqs+0x154/0x4b8\n[118.376811] [C201134] rxq0_pus: [name:bug&]kernel BUG at net/core/skbuff.c:4278!\n[118.376829] [C201134] rxq0_pus: [name:traps&]Internal error: Oops - BUG: 00000000f2000800 [#1] PREEMPT SMP\n[118.470774] [C201134] rxq0_pus: [name:mrdump&]Kernel Offset: 0x178cc00000 from 0xffffffc008000000\n[118.470810] [C201134] rxq0_pus: [name:mrdump&]PHYS_OFFSET: 0x40000000\n[118.470827] [C201134] rxq0_pus: [name:mrdump&]pstate: 60400005 (nZCv daif +PAN -UAO)\n[118.470848] [C201134] rxq0_pus: [name:mrdump&]pc : [0xffffffd79598aefc] skb_segment+0xcd0/0xd14\n[118.470900] [C201134] rxq0_pus: [name:mrdump&]lr : [0xffffffd79598a5e8] skb_segment+0x3bc/0xd14\n[118.470928] [C201134] rxq0_pus: [name:mrdump&]sp : ffffffc008013770", "A denial of service vulnerability has been discovered in the Linux kernel's UDP Generic Segmentation Offload (GSO) functionality. This flaw allows a local, unprivileged user to trigger a kernel crash by generating UDP packets with a specially malformed frag_list geometry. Successful exploitation of this vulnerability could lead to a system crash, severely impacting the availability and stability of the affected system." ],
  "statement" : "This vulnerability in the Linux kernel's UDP Generic Segmentation Offload (GSO) path allows specially crafted packets with malformed frag_list geometry to trigger a kernel BUG within the skb_segment() function. This occurs when only a portion of the packet data is pulled into the linear part of the SKB (Socket Buffer), violating assumptions made by the segmentation logic. If these malformed SKBs are not linearized, the kernel will crash due to invariant violations, leading to a denial-of-service.\nWhile the CVSS privileges are rated as Low, meaning unprivileged users can potentially construct such malicious SKBs via AF_PACKET sockets, BPF hooks, or containerized networking interfaces, the impact remains a system-level denial of service.",
  "affected_release" : [ {
    "product_name" : "Red Hat Enterprise Linux 10",
    "release_date" : "2025-08-18T00:00:00Z",
    "advisory" : "RHSA-2025:14009",
    "cpe" : "cpe:/o:redhat:enterprise_linux:10.0",
    "package" : "kernel-0:6.12.0-55.28.1.el10_0"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2025-08-18T00:00:00Z",
    "advisory" : "RHSA-2025:13962",
    "cpe" : "cpe:/a:redhat:enterprise_linux:9",
    "package" : "kernel-0:5.14.0-570.35.1.el9_6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2025-08-18T00:00:00Z",
    "advisory" : "RHSA-2025:13962",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9",
    "package" : "kernel-0:5.14.0-570.35.1.el9_6"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat Enterprise Linux 6",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Not affected",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Not affected",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Affected",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2025-38124\nhttps://nvd.nist.gov/vuln/detail/CVE-2025-38124\nhttps://lore.kernel.org/linux-cve-announce/2025070328-CVE-2025-38124-bc19@gregkh/T" ],
  "name" : "CVE-2025-38124",
  "csaw" : false
}