CVE-2025-37894

It is possible for a pointer of type struct inettimewaitsock to be returned from the functions _inetlookupestablished() and _inet6lookupestablished(). This can cause a crash when the returned pointer is of type struct inettimewaitsock and sockput() is called on it. The following is a crash call stack that shows sk->skwmemalloc being accessed in skfree() during the call to sockput() on a struct inettimewaitsock pointer. To avoid this issue, use sockgenput() instead of sockput() when sk->skstate is TCPTIME_WAIT.

mrdump.ko ipanic() + 120 vmlinux notifiercallchain(nrtocall=-1, nrcalls=0) + 132 vmlinux atomicnotifiercallchain(val=0) + 56 vmlinux panic() + 344 vmlinux addtaint() + 164 vmlinux endreport() + 136 vmlinux kasanreport(size=0) + 236 vmlinux reporttagfault() + 16 vmlinux dotagrecovery() + 16 vmlinux _dokernelfault() + 88 vmlinux dobadarea() + 28 vmlinux dotagcheckfault() + 60 vmlinux domemabort() + 80 vmlinux el1abort() + 56 vmlinux el1h64synchandler() + 124 vmlinux > 0xFFFFFFC080011294() vmlinux _lseatomicfetchaddrelease(v=0xF2FFFF82A896087C) vmlinux _lseatomicfetchsubrelease(v=0xF2FFFF82A896087C) vmlinux archatomicfetchsubrelease(i=1, v=0xF2FFFF82A896087C) + 8 vmlinux rawatomicfetchsubrelease(i=1, v=0xF2FFFF82A896087C) + 8 vmlinux atomicfetchsubrelease(i=1, v=0xF2FFFF82A896087C) + 8 vmlinux _refcountsubandtest(i=1, r=0xF2FFFF82A896087C, oldp=0) + 8 vmlinux _refcountdecandtest(r=0xF2FFFF82A896087C, oldp=0) + 8 vmlinux refcountdecandtest(r=0xF2FFFF82A896087C) + 8 vmlinux skfree(sk=0xF2FFFF82A8960700) + 28 vmlinux sockput() + 48 vmlinux tcp6checkfraglistgro() + 236 vmlinux tcp6groreceive() + 624 vmlinux ipv6groreceive() + 912 vmlinux devgroreceive() + 1116 vmlinux napigroreceive() + 196 ccmni.ko ccmnirxcallback() + 208 ccmni.ko ccmniqueuerecvskb() + 388 cccidpmaif.ko dpmaifrxqpush_thread() + 1088 vmlinux kthread() + 268 vmlinux 0xFFFFFFC08001F30C()

References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type: GIT
Repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events: Introduced

c9d1d23e5239f41700be69133a5769ac5ebc88a8

Fixed

c0dba059b118b5206e755042b15b49368a388898

Type: GIT
Repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events: Introduced

c9d1d23e5239f41700be69133a5769ac5ebc88a8

Fixed

786650e644c5b1c063921799ca203c0b8670d79a

Type: GIT
Repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events: Introduced

c9d1d23e5239f41700be69133a5769ac5ebc88a8

Fixed

f920436a44295ca791ebb6dae3f4190142eec703

Affected versions

v6.*

v6.10

v6.10-rc1

v6.10-rc2

v6.10-rc3

v6.10-rc4

v6.10-rc5

v6.10-rc6

v6.10-rc7

v6.11

v6.11-rc1

v6.11-rc2

v6.11-rc3

v6.11-rc4

v6.11-rc5

v6.11-rc6

v6.11-rc7

v6.12

v6.12-rc1

v6.12-rc2

v6.12-rc3

v6.12-rc4

v6.12-rc5

v6.12-rc6

v6.12-rc7

v6.12.1

v6.12.10

v6.12.11

v6.12.12

v6.12.13

v6.12.14

v6.12.15

v6.12.16

v6.12.17

v6.12.18

v6.12.19

v6.12.2

v6.12.20

v6.12.21

v6.12.22

v6.12.23

v6.12.24

v6.12.25

v6.12.26

v6.12.27

v6.12.3

v6.12.4

v6.12.5

v6.12.6

v6.12.7

v6.12.8

v6.12.9

v6.13

v6.13-rc1

v6.13-rc2

v6.13-rc3

v6.13-rc4

v6.13-rc5

v6.13-rc6

v6.13-rc7

v6.14

v6.14-rc1

v6.14-rc2

v6.14-rc3

v6.14-rc4

v6.14-rc5

v6.14-rc6

v6.14-rc7

v6.14.1

v6.14.2

v6.14.3

v6.14.4

v6.14.5

v6.15-rc1

v6.15-rc2

v6.15-rc3

v6.9

v6.9-rc7

Database specific

vanir_signatures

[
    {
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "331396587777632734527352894791385280846",
                "67147417674749899953024047665545342710",
                "116235134786986396901853031986665132799",
                "187386552271400071538357489656353038676"
            ]
        },
        "id": "CVE-2025-37894-01f29259",
        "signature_type": "Line",
        "signature_version": "v1",
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@c0dba059b118b5206e755042b15b49368a388898",
        "target": {
            "file": "net/ipv4/tcp_offload.c"
        },
        "deprecated": false
    },
    {
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "331396587777632734527352894791385280846",
                "67147417674749899953024047665545342710",
                "116235134786986396901853031986665132799",
                "187386552271400071538357489656353038676"
            ]
        },
        "id": "CVE-2025-37894-0cdfc711",
        "signature_type": "Line",
        "signature_version": "v1",
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@f920436a44295ca791ebb6dae3f4190142eec703",
        "target": {
            "file": "net/ipv4/tcp_offload.c"
        },
        "deprecated": false
    },
    {
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "331396587777632734527352894791385280846",
                "15962236807822999485532388293841644243",
                "285708909039390636589885825247694812225",
                "91011875666645470854109278074351240865"
            ]
        },
        "id": "CVE-2025-37894-0cfd8275",
        "signature_type": "Line",
        "signature_version": "v1",
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@786650e644c5b1c063921799ca203c0b8670d79a",
        "target": {
            "file": "net/ipv6/tcpv6_offload.c"
        },
        "deprecated": false
    },
    {
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "331396587777632734527352894791385280846",
                "15962236807822999485532388293841644243",
                "285708909039390636589885825247694812225",
                "91011875666645470854109278074351240865"
            ]
        },
        "id": "CVE-2025-37894-1b4820af",
        "signature_type": "Line",
        "signature_version": "v1",
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@f920436a44295ca791ebb6dae3f4190142eec703",
        "target": {
            "file": "net/ipv6/tcpv6_offload.c"
        },
        "deprecated": false
    },
    {
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "331396587777632734527352894791385280846",
                "15962236807822999485532388293841644243",
                "285708909039390636589885825247694812225",
                "91011875666645470854109278074351240865"
            ]
        },
        "id": "CVE-2025-37894-608b4da0",
        "signature_type": "Line",
        "signature_version": "v1",
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@c0dba059b118b5206e755042b15b49368a388898",
        "target": {
            "file": "net/ipv6/tcpv6_offload.c"
        },
        "deprecated": false
    },
    {
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "331396587777632734527352894791385280846",
                "67147417674749899953024047665545342710",
                "116235134786986396901853031986665132799",
                "187386552271400071538357489656353038676"
            ]
        },
        "id": "CVE-2025-37894-e2db1ead",
        "signature_type": "Line",
        "signature_version": "v1",
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@786650e644c5b1c063921799ca203c0b8670d79a",
        "target": {
            "file": "net/ipv4/tcp_offload.c"
        },
        "deprecated": false
    }
]

Linux / Kernel

Package

Name: Kernel

Affected ranges

Type: ECOSYSTEM
Events: Introduced

6.10.0

Fixed

6.12.28

Type: ECOSYSTEM
Events: Introduced

6.13.0

Fixed

6.14.6