CVE-2025-38236

Source
https://nvd.nist.gov/vuln/detail/CVE-2025-38236
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-38236.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2025-38236
Downstream
Related
Published
2025-07-08T08:15:20Z
Modified
2025-08-12T21:46:59.502684Z
Summary
[none]
Details

In the Linux kernel, the following vulnerability has been resolved:

af_unix: Don't leave consecutive consumed OOB skbs.

Jann Horn reported a use-after-free in unixstreamread_generic().

The following sequences reproduce the issue:

$ python3 from socket import * s1, s2 = socketpair(AFUNIX, SOCKSTREAM) s1.send(b'x', MSGOOB) s2.recv(1, MSGOOB) # leave a consumed OOB skb s1.send(b'y', MSGOOB) s2.recv(1, MSGOOB) # leave a consumed OOB skb s1.send(b'z', MSGOOB) s2.recv(1) # recv 'z' illegally s2.recv(1, MSGOOB) # access 'z' skb (use-after-free)

Even though a user reads OOB data, the skb holding the data stays on the recv queue to mark the OOB boundary and break the next recv().

After the last send() in the scenario above, the sk2's recv queue has 2 leading consumed OOB skbs and 1 real OOB skb.

Then, the following happens during the next recv() without MSG_OOB

  1. unixstreamread_generic() peeks the first consumed OOB skb
  2. manage_oob() returns the next consumed OOB skb
  3. unixstreamread_generic() fetches the next not-yet-consumed OOB skb
  4. unixstreamread_generic() reads and frees the OOB skb

, and the last recv(MSG_OOB) triggers KASAN splat.

The 3. above occurs because of the SOPEEKOFF code, which does not expect unixskblen(skb) to be 0, but this is true for such consumed OOB skbs.

while (skip >= unixskblen(skb)) { skip -= unixskblen(skb); skb = skbpeeknext(skb, &sk->skreceivequeue); ... }

In addition to this use-after-free, there is another issue that ioctl(SIOCATMARK) does not function properly with consecutive consumed OOB skbs.

So, nothing good comes out of such a situation.

Instead of complicating manage_oob(), ioctl() handling, and the next ECONNRESET fix by introducing a loop for consecutive consumed OOB skbs, let's not leave such consecutive OOB unnecessarily.

Now, while receiving an OOB skb in unixstreamrecv_urg(), if its previous skb is a consumed OOB skb, it is freed.

Read of size 4 at addr ffff888106ef2904 by task python3/315

CPU: 2 UID: 0 PID: 315 Comm: python3 Not tainted 6.16.0-rc1-00407-gec315832f6f9 #8 PREEMPT(voluntary) Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-4.fc42 04/01/2014 Call Trace: <TASK> dumpstacklvl (lib/dumpstack.c:122) printreport (mm/kasan/report.c:409 mm/kasan/report.c:521) kasanreport (mm/kasan/report.c:636) unixstreamreadactor (net/unix/afunix.c:3027) unixstreamreadgeneric (net/unix/afunix.c:2708 net/unix/afunix.c:2847) unixstreamrecvmsg (net/unix/afunix.c:3048) sockrecvmsg (net/socket.c:1063 (discriminator 20) net/socket.c:1085 (discriminator 20)) _sysrecvfrom (net/socket.c:2278) _x64sysrecvfrom (net/socket.c:2291 (discriminator 1) net/socket.c:2287 (discriminator 1) net/socket.c:2287 (discriminator 1)) dosyscall64 (arch/x86/entry/syscall64.c:63 (discriminator 1) arch/x86/entry/syscall64.c:94 (discriminator 1)) entrySYSCALL64afterhwframe (arch/x86/entry/entry64.S:130) RIP: 0033:0x7f8911fcea06 Code: 5d e8 41 8b 93 08 03 00 00 59 5e 48 83 f8 fc 75 19 83 e2 39 83 fa 08 75 11 e8 26 ff ff ff 66 0f 1f 44 00 00 48 8b 45 10 0f 05 <48> 8b 5d f8 c9 c3 0f 1f 40 00 f3 0f 1e fa 55 48 89 e5 48 83 ec 08 RSP: 002b:00007fffdb0dccb0 EFLAGS: 00000202 ORIG_RAX: 000000000000002d RAX: ffffffffffffffda RBX: 00007fffdb0dcdc8 RCX: 00007f8911fcea06 RDX: 0000000000000001 RSI: 00007f8911a5e060 RDI: 0000000000000006 RBP: 00007fffdb0dccd0 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000001 R11: 0000000000000202 R12: 00007f89119a7d20 R13: ffffffffc4653600 R14: 0000000000000000 R15: 0000000000000000 </TASK>

Allocated by task 315: kasansavestack (mm/kasan/common.c:48) kasansavetrack (mm/kasan/common.c:60 (discriminator 1) mm/kasan/common.c:69 (discriminator 1)) _kasanslaballoc (mm/kasan/common.c:348) kmemcachealloc ---truncated---

References

Affected packages

Debian:12 / linux

Package

Name
linux
Purl
pkg:deb/debian/linux?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
6.1.147-1

Affected versions

6.*

6.1.27-1
6.1.37-1
6.1.38-1
6.1.38-2~bpo11+1
6.1.38-2
6.1.38-3
6.1.38-4~bpo11+1
6.1.38-4
6.1.52-1
6.1.55-1~bpo11+1
6.1.55-1
6.1.64-1
6.1.66-1
6.1.67-1
6.1.69-1~bpo11+1
6.1.69-1
6.1.76-1~bpo11+1
6.1.76-1
6.1.82-1
6.1.85-1
6.1.90-1~bpo11+1
6.1.90-1
6.1.94-1~bpo11+1
6.1.94-1
6.1.98-1
6.1.99-1
6.1.106-1
6.1.106-2
6.1.106-3
6.1.112-1
6.1.115-1
6.1.119-1
6.1.123-1
6.1.124-1
6.1.128-1
6.1.129-1
6.1.133-1
6.1.135-1
6.1.137-1
6.1.139-1
6.1.140-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:13 / linux

Package

Name
linux
Purl
pkg:deb/debian/linux?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
6.12.37-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:14 / linux

Package

Name
linux
Purl
pkg:deb/debian/linux?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
6.12.37-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}