AZL-64565

See a problem?

Import Source

https://github.com/microsoft/AzureLinuxVulnerabilityData/blob/main/osv/AZL-64565.json

JSON Data

https://api.test.osv.dev/v1/vulns/AZL-64565

Upstream

CVE-2025-38165

Published

2025-07-03T09:15:31Z

Modified

2026-04-01T05:20:21.974021Z

Summary

CVE-2025-38165 affecting package kernel for versions less than 6.6.96.1-1

Details

In the Linux kernel, the following vulnerability has been resolved:

bpf, sockmap: Fix panic when calling skb_linearize

The panic can be reproduced by executing the command: ./bench sockmap -c 2 -p 1 -a --rx-verdict-ingress --rx-strp 100000

Then a kernel panic was captured: ''' [ 657.460555] kernel BUG at net/core/skbuff.c:2178! [ 657.462680] Tainted: [W]=WARN [ 657.463287] Workqueue: events skpsockbacklog ... [ 657.469610] <TASK> [ 657.469738] ? die+0x36/0x90 [ 657.469916] ? dotrap+0x1d0/0x270 [ 657.470118] ? pskbexpandhead+0x612/0xf40 [ 657.470376] ? pskbexpandhead+0x612/0xf40 [ 657.470620] ? doerrortrap+0xa3/0x170 [ 657.470846] ? pskbexpandhead+0x612/0xf40 [ 657.471092] ? handleinvalidop+0x2c/0x40 [ 657.471335] ? pskbexpandhead+0x612/0xf40 [ 657.471579] ? excinvalidop+0x2d/0x40 [ 657.471805] ? asmexcinvalidop+0x1a/0x20 [ 657.472052] ? pskbexpandhead+0xd1/0xf40 [ 657.472292] ? pskbexpandhead+0x612/0xf40 [ 657.472540] ? lockacquire+0x18f/0x4e0 [ 657.472766] ? findheld_lock+0x2d/0x110 [ 657.472999] ? __pfxpskbexpand_head+0x10/0x10 [ 657.473263] ? __kmalloccachekmalloccachenoprof+0x5b/0x470 [ 657.473537] ? pfxock_release.isra.0+0x10/0x10 [ 657.473826] __pskbpulltail+0xfd/0x1d20 [ 657.474062] ? __kasanslaballoc+0x4e/0x90 [ 657.474707] skpsockskbingressenqueue+0x3bf/0x510 [ 657.475392] ? _kasankmalloc+0xaa/0xb0 [ 657.476010] skpsockbacklog+0x5cf/0xd70 [ 657.476637] processonework+0x858/0x1a20 '''

The panic originates from the assertion BUGON(skbshared(skb)) in skblinearize(). A previous commit(see Fixes tag) introduced skbget() to avoid race conditions between skb operations in the backlog and skb release in the recvmsg path. However, this caused the panic to always occur when skb_linearize is executed.

The "--rx-strp 100000" parameter forces the RX path to use the strparser module which aggregates data until it reaches 100KB before calling sockmap logic. The 100KB payload exceeds MAXMSGFRAGS, triggering skb_linearize.

To fix this issue, just move skbget into skpsockskbingress_enqueue.

''' skpsockbacklog: skpsockhandleskb skbget(skb) <== we move it into 'skpsockskbingressenqueue' skpsockskbingress___________ ↓ | | → skpsockskbingressself | skpsockskbingressenqueue skpsockverdictapply_______________↑ skblinearize '''

Note that for verdictapply path, the skbget operation is unnecessary so we add 'take_ref' param to control it's behavior.

References

https://nvd.nist.gov/vuln/detail/CVE-2025-38165

Affected packages

Azure Linux:3 / kernel

Package

Name: kernel
Purl: pkg:rpm/azure-linux/kernel

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

6.6.96.1-1

Database specific

source

"https://github.com/microsoft/AzureLinuxVulnerabilityData/blob/main/osv/AZL-64565.json"