{ "threat_severity" : "Moderate", "public_date" : "2025-07-03T00:00:00Z", "bugzilla" : { "description" : "kernel: Linux kernel: Use-after-free in BPF sockmap can lead to denial of service and privilege escalation", "id" : "2376056", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2376056" }, "cvss3" : { "cvss3_base_score" : "7.0", "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "status" : "verified" }, "cwe" : "CWE-821", "details" : [ "In the Linux kernel, the following vulnerability has been resolved:\nbpf, sockmap: Avoid using sk_socket after free when sending\nThe sk->sk_socket is not locked or referenced in backlog thread, and\nduring the call to skb_send_sock(), there is a race condition with\nthe release of sk_socket. All types of sockets(tcp/udp/unix/vsock)\nwill be affected.\nRace conditions:\n'''\nCPU0 CPU1\nbacklog::skb_send_sock\nsendmsg_unlocked\nsock_sendmsg\nsock_sendmsg_nosec\nclose(fd):\n...\nops->release() -> sock_map_close()\nsk_socket->ops = NULL\nfree(socket)\nsock->ops->sendmsg\n^\npanic here\n'''\nThe ref of psock become 0 after sock_map_close() executed.\n'''\nvoid sock_map_close()\n{\n...\nif (likely(psock)) {\n...\n// !! here we remove psock and the ref of psock become 0\nsock_map_remove_links(sk, psock)\npsock = sk_psock_get(sk);\nif (unlikely(!psock))\ngoto no_psock; <=== Control jumps here via goto\n...\ncancel_delayed_work_sync(&psock->work); <=== not executed\nsk_psock_put(sk, psock);\n...\n}\n'''\nBased on the fact that we already wait for the workqueue to finish in\nsock_map_close() if psock is held, we simply increase the psock\nreference count to avoid race conditions.\nWith this patch, if the backlog thread is running, sock_map_close() will\nwait for the backlog thread to complete and cancel all pending work.\nIf no backlog running, any pending work that hasn't started by then will\nfail when invoked by sk_psock_get(), as the psock reference count have\nbeen zeroed, and sk_psock_drop() will cancel all jobs via\ncancel_delayed_work_sync().\nIn summary, we require synchronization to coordinate the backlog thread\nand close() thread.\nThe panic I catched:\n'''\nWorkqueue: events sk_psock_backlog\nRIP: 0010:sock_sendmsg+0x21d/0x440\nRAX: 0000000000000000 RBX: ffffc9000521fad8 RCX: 0000000000000001\n...\nCall Trace:\n\n? die_addr+0x40/0xa0\n? exc_general_protection+0x14c/0x230\n? asm_exc_general_protection+0x26/0x30\n? sock_sendmsg+0x21d/0x440\n? sock_sendmsg+0x3e0/0x440\n? __pfx_sock_sendmsg+0x10/0x10\n__skb_send_sock+0x543/0xb70\nsk_psock_backlog+0x247/0xb80\n...\n'''", "A flaw was found in the Linux kernel's BPF (Berkeley Packet Filter) sockmap subsystem. A race condition exists where the `sk_socket` is not properly locked or referenced during the `skb_send_sock()` function call, allowing for a use-after-free vulnerability. This can be exploited by a local attacker, leading to a system crash (Denial of Service) and potentially enabling information disclosure or privilege escalation." ], "affected_release" : [ { "product_name" : "Red Hat Enterprise Linux 9.2 Update Services for SAP Solutions", "release_date" : "2026-03-25T00:00:00Z", "advisory" : "RHSA-2026:5813", "cpe" : "cpe:/a:redhat:rhel_e4s:9.2", "package" : "kernel-0:5.14.0-284.161.1.el9_2" }, { "product_name" : "Red Hat Enterprise Linux 9.2 Update Services for SAP Solutions", "release_date" : "2026-03-25T00:00:00Z", "advisory" : "RHSA-2026:5690", "cpe" : "cpe:/a:redhat:rhel_e4s:9.2::nfv", "package" : "kernel-rt-0:5.14.0-284.161.1.rt14.446.el9_2" }, { "product_name" : "Red Hat Enterprise Linux 9.4 Extended Update Support", "release_date" : "2026-04-01T00:00:00Z", "advisory" : "RHSA-2026:6310", "cpe" : "cpe:/a:redhat:rhel_eus:9.4", "package" : "kernel-0:5.14.0-427.117.1.el9_4" }, { "product_name" : "Red Hat Enterprise Linux 9.6 Extended Update Support", "release_date" : "2026-03-02T00:00:00Z", "advisory" : "RHSA-2026:3520", "cpe" : "cpe:/a:redhat:rhel_eus:9.6", "package" : "kernel-0:5.14.0-570.94.1.el9_6" } ], "package_state" : [ { "product_name" : "Red Hat Enterprise Linux 10", "fix_state" : "Affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:10" }, { "product_name" : "Red Hat Enterprise Linux 6", "fix_state" : "Not affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:6" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Not affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Not affected", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat Enterprise Linux 8", "fix_state" : "Not affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:8" }, { "product_name" : "Red Hat Enterprise Linux 8", "fix_state" : "Not affected", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:8" }, { "product_name" : "Red Hat Enterprise Linux 9", "fix_state" : "Affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:9" }, { "product_name" : "Red Hat Enterprise Linux 9", "fix_state" : "Affected", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:9" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2025-38154\nhttps://nvd.nist.gov/vuln/detail/CVE-2025-38154\nhttps://lore.kernel.org/linux-cve-announce/2025070337-CVE-2025-38154-8353@gregkh/T" ], "name" : "CVE-2025-38154", "csaw" : false }