{
  "threat_severity" : "Moderate",
  "public_date" : "2025-09-04T00:00:00Z",
  "bugzilla" : {
    "description" : "kernel: sctp: linearize cloned gso packets in sctp_rcv",
    "id" : "2393166",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2393166"
  },
  "cvss3" : {
    "cvss3_base_score" : "7.5",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
    "status" : "verified"
  },
  "cwe" : "CWE-664",
  "details" : [ "In the Linux kernel, the following vulnerability has been resolved:\nsctp: linearize cloned gso packets in sctp_rcv\nA cloned head skb still shares these frag skbs in fraglist with the\noriginal head skb. It's not safe to access these frag skbs.\nsyzbot reported two use-of-uninitialized-memory bugs caused by this:\nBUG: KMSAN: uninit-value in sctp_inq_pop+0x15b7/0x1920 net/sctp/inqueue.c:211\nsctp_inq_pop+0x15b7/0x1920 net/sctp/inqueue.c:211\nsctp_assoc_bh_rcv+0x1a7/0xc50 net/sctp/associola.c:998\nsctp_inq_push+0x2ef/0x380 net/sctp/inqueue.c:88\nsctp_backlog_rcv+0x397/0xdb0 net/sctp/input.c:331\nsk_backlog_rcv+0x13b/0x420 include/net/sock.h:1122\n__release_sock+0x1da/0x330 net/core/sock.c:3106\nrelease_sock+0x6b/0x250 net/core/sock.c:3660\nsctp_wait_for_connect+0x487/0x820 net/sctp/socket.c:9360\nsctp_sendmsg_to_asoc+0x1ec1/0x1f00 net/sctp/socket.c:1885\nsctp_sendmsg+0x32b9/0x4a80 net/sctp/socket.c:2031\ninet_sendmsg+0x25a/0x280 net/ipv4/af_inet.c:851\nsock_sendmsg_nosec net/socket.c:718 [inline]\nand\nBUG: KMSAN: uninit-value in sctp_assoc_bh_rcv+0x34e/0xbc0 net/sctp/associola.c:987\nsctp_assoc_bh_rcv+0x34e/0xbc0 net/sctp/associola.c:987\nsctp_inq_push+0x2a3/0x350 net/sctp/inqueue.c:88\nsctp_backlog_rcv+0x3c7/0xda0 net/sctp/input.c:331\nsk_backlog_rcv+0x142/0x420 include/net/sock.h:1148\n__release_sock+0x1d3/0x330 net/core/sock.c:3213\nrelease_sock+0x6b/0x270 net/core/sock.c:3767\nsctp_wait_for_connect+0x458/0x820 net/sctp/socket.c:9367\nsctp_sendmsg_to_asoc+0x223a/0x2260 net/sctp/socket.c:1886\nsctp_sendmsg+0x3910/0x49f0 net/sctp/socket.c:2032\ninet_sendmsg+0x269/0x2a0 net/ipv4/af_inet.c:851\nsock_sendmsg_nosec net/socket.c:712 [inline]\nThis patch fixes it by linearizing cloned gso packets in sctp_rcv().", "A flaw use of uninitialized memory (uncontrolled and invisible by attacker) in the Linux kernel SCTP transport protocol was found in the way user triggers malicious SCTP packets. A remote user could use this flaw to crash the system. The bug actual only for systems where SCTP protocol being enabled and used." ],
  "statement" : "A flaw in the SCTP receive path failed to linearize cloned GSO sk_buffs before accessing fraglists, leading to reads of uninitialized memory as reported by KMSAN. An attacker sending SCTP traffic can trigger incorrect processing and potentially cause a kernel denial of service on the target under specific RX conditions.\nStream Control Transmission Protocol (SCTP) is a transport-layer protocol (like TCP or UDP) primarily used in telecom signaling and some specialized applications. On most Linux systems it is disabled by default, and remote connectivity is only possible if SCTP support is enabled and listening services are configured (commonly using the IANA-assigned port 2905/tcp for M3UA or other protocol-specific ports). Therefore, the vulnerability is only exploitable when SCTP is enabled and reachable on the target system.\nAlthough KMSAN reports this issue as use of uninitialized memory (which deterministically crashes with KMSAN enabled), on production kernels the impact is still availability-related.",
  "affected_release" : [ {
    "product_name" : "Red Hat Enterprise Linux 10",
    "release_date" : "2025-10-07T00:00:00Z",
    "advisory" : "RHSA-2025:17396",
    "cpe" : "cpe:/o:redhat:enterprise_linux:10.0",
    "package" : "kernel-0:6.12.0-55.38.1.el10_0"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7 Extended Lifecycle Support",
    "release_date" : "2025-12-09T00:00:00Z",
    "advisory" : "RHSA-2025:22914",
    "cpe" : "cpe:/a:redhat:rhel_extras_rt_els:7",
    "package" : "kernel-rt-0:3.10.0-1160.143.1.rt56.1295.el7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7 Extended Lifecycle Support",
    "release_date" : "2025-12-09T00:00:00Z",
    "advisory" : "RHSA-2025:22910",
    "cpe" : "cpe:/o:redhat:rhel_els:7",
    "package" : "kernel-0:3.10.0-1160.143.1.el7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "release_date" : "2025-09-29T00:00:00Z",
    "advisory" : "RHSA-2025:16920",
    "cpe" : "cpe:/a:redhat:enterprise_linux:8::nfv",
    "package" : "kernel-rt-0:4.18.0-553.77.1.rt7.418.el8_10"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "release_date" : "2025-09-29T00:00:00Z",
    "advisory" : "RHSA-2025:16919",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8",
    "package" : "kernel-0:4.18.0-553.77.1.el8_10"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8.2 Advanced Update Support",
    "release_date" : "2025-12-17T00:00:00Z",
    "advisory" : "RHSA-2025:23445",
    "cpe" : "cpe:/o:redhat:rhel_aus:8.2",
    "package" : "kernel-0:4.18.0-193.178.1.el8_2"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support",
    "release_date" : "2025-12-17T00:00:00Z",
    "advisory" : "RHSA-2025:23463",
    "cpe" : "cpe:/o:redhat:rhel_aus:8.4",
    "package" : "kernel-0:4.18.0-305.182.1.el8_4"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8.4 Extended Update Support Long-Life Add-On",
    "release_date" : "2025-12-17T00:00:00Z",
    "advisory" : "RHSA-2025:23463",
    "cpe" : "cpe:/o:redhat:rhel_eus_long_life:8.4",
    "package" : "kernel-0:4.18.0-305.182.1.el8_4"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support",
    "release_date" : "2025-11-25T00:00:00Z",
    "advisory" : "RHSA-2025:22006",
    "cpe" : "cpe:/o:redhat:rhel_aus:8.6",
    "package" : "kernel-0:4.18.0-372.170.1.el8_6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8.6 Telecommunications Update Service",
    "release_date" : "2025-11-25T00:00:00Z",
    "advisory" : "RHSA-2025:22006",
    "cpe" : "cpe:/o:redhat:rhel_tus:8.6",
    "package" : "kernel-0:4.18.0-372.170.1.el8_6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions",
    "release_date" : "2025-11-25T00:00:00Z",
    "advisory" : "RHSA-2025:22006",
    "cpe" : "cpe:/o:redhat:rhel_e4s:8.6",
    "package" : "kernel-0:4.18.0-372.170.1.el8_6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8.8 Telecommunications Update Service",
    "release_date" : "2025-11-25T00:00:00Z",
    "advisory" : "RHSA-2025:22072",
    "cpe" : "cpe:/o:redhat:rhel_tus:8.8",
    "package" : "kernel-0:4.18.0-477.120.1.el8_8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8.8 Update Services for SAP Solutions",
    "release_date" : "2025-11-25T00:00:00Z",
    "advisory" : "RHSA-2025:22072",
    "cpe" : "cpe:/o:redhat:rhel_e4s:8.8",
    "package" : "kernel-0:4.18.0-477.120.1.el8_8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2025-09-29T00:00:00Z",
    "advisory" : "RHSA-2025:16880",
    "cpe" : "cpe:/a:redhat:enterprise_linux:9",
    "package" : "kernel-0:5.14.0-570.49.1.el9_6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2025-09-29T00:00:00Z",
    "advisory" : "RHSA-2025:16880",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9",
    "package" : "kernel-0:5.14.0-570.49.1.el9_6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions",
    "release_date" : "2025-11-12T00:00:00Z",
    "advisory" : "RHSA-2025:21091",
    "cpe" : "cpe:/a:redhat:rhel_e4s:9.0",
    "package" : "kernel-0:5.14.0-70.153.1.el9_0"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions",
    "release_date" : "2025-11-12T00:00:00Z",
    "advisory" : "RHSA-2025:21136",
    "cpe" : "cpe:/a:redhat:rhel_e4s:9.0::nfv",
    "package" : "kernel-rt-0:5.14.0-70.153.1.rt21.225.el9_0"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9.2 Update Services for SAP Solutions",
    "release_date" : "2025-10-29T00:00:00Z",
    "advisory" : "RHSA-2025:19224",
    "cpe" : "cpe:/a:redhat:rhel_e4s:9.2",
    "package" : "kernel-0:5.14.0-284.144.1.el9_2"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9.2 Update Services for SAP Solutions",
    "release_date" : "2025-10-29T00:00:00Z",
    "advisory" : "RHSA-2025:19223",
    "cpe" : "cpe:/a:redhat:rhel_e4s:9.2::nfv",
    "package" : "kernel-rt-0:5.14.0-284.144.1.rt14.429.el9_2"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9.4 Extended Update Support",
    "release_date" : "2025-11-19T00:00:00Z",
    "advisory" : "RHSA-2025:21760",
    "cpe" : "cpe:/a:redhat:rhel_eus:9.4",
    "package" : "kernel-0:5.14.0-427.100.1.el9_4"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat Enterprise Linux 6",
    "fix_state" : "Out of support scope",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Affected",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2025-38718\nhttps://nvd.nist.gov/vuln/detail/CVE-2025-38718\nhttps://lore.kernel.org/linux-cve-announce/2025090459-CVE-2025-38718-5bb6@gregkh/T" ],
  "name" : "CVE-2025-38718",
  "mitigation" : {
    "value" : "To mitigate this issue, prevent module sctp from being loaded. Please see https://access.redhat.com/solutions/41278 for how to blacklist a kernel module to prevent it from loading automatically.",
    "lang" : "en:us"
  },
  "csaw" : false
}