CVE-2025-40281
- Source
- https://cve.org/CVERecord?id=CVE-2025-40281
- Import Source
- https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-40281.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/CVE-2025-40281
- Downstream
- Related
- Published
- 2025-12-06T21:51:05.208Z
- Modified
- 2026-03-20T12:43:14.793925Z
- Summary
- sctp: prevent possible shift-out-of-bounds in sctp_transport_update_rto
- Details
-
In the Linux kernel, the following vulnerability has been resolved:
sctp: prevent possible shift-out-of-bounds in sctptransportupdate_rto
syzbot reported a possible shift-out-of-bounds [1]
Blamed commit added rtoalphamax and rtobetamax set to 1000.
It is unclear if some sctp users are setting very large rtoalpha and/or rtobeta.
In order to prevent user regression, perform the test at run time.
Also add READ_ONCE() annotations as sysctl values can change under us.
[1]
UBSAN: shift-out-of-bounds in net/sctp/transport.c:509:41 shift exponent 64 is too large for 32-bit type 'unsigned int' CPU: 0 UID: 0 PID: 16704 Comm: syz.2.2320 Not tainted syzkaller #0 PREEMPT(full) Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/02/2025 Call Trace: <TASK> __dumpstack lib/dumpstack.c:94 [inline] dumpstacklvl+0x16c/0x1f0 lib/dumpstack.c:120 ubsanepilogue lib/ubsan.c:233 [inline] _ubsanhandleshiftoutofbounds+0x27f/0x420 lib/ubsan.c:494 sctptransportupdaterto.cold+0x1c/0x34b net/sctp/transport.c:509 sctpchecktransmitted+0x11c4/0x1c30 net/sctp/outqueue.c:1502 sctpoutqsack+0x4ef/0x1b20 net/sctp/outqueue.c:1338 sctpcmdprocesssack net/sctp/smsideeffect.c:840 [inline] sctpcmdinterpreter net/sctp/smsideeffect.c:1372 [inline]
- Database specific
{ "cna_assigner": "Linux", "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/40xxx/CVE-2025-40281.json" }- References
-
- https://git.kernel.org/stable/c/0e0413e3315199b23ff4aec295e256034cd0a6e4
- https://git.kernel.org/stable/c/1534ff77757e44bcc4b98d0196bc5c0052fce5fa
- https://git.kernel.org/stable/c/1cfa4eac275cc4875755c1303d48a4ddfe507ca8
- https://git.kernel.org/stable/c/834e65be429c0fa4f9bb5945064bd57f18ed2187
- https://git.kernel.org/stable/c/aaba523dd7b6106526c24b1fd9b5fc35e5aaa88d
- https://git.kernel.org/stable/c/abb086b9a95d0ed3b757ee59964ba3c4e4b2fc1a
- https://git.kernel.org/stable/c/d0d858652834dcf531342c82a0428170aa7c2675
- https://git.kernel.org/stable/c/ed71f801249d2350c77a73dca2c03918a15a62fe
- https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/40xxx/CVE-2025-40281.json
- https://nvd.nist.gov/vuln/detail/CVE-2025-40281
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Affected packages
Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Affected ranges
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introducedb58537a1f5629bdc98a8b9dc2051ce0e952f6b4bFixed0e0413e3315199b23ff4aec295e256034cd0a6e4Fixed834e65be429c0fa4f9bb5945064bd57f18ed2187Fixedabb086b9a95d0ed3b757ee59964ba3c4e4b2fc1aFixedd0d858652834dcf531342c82a0428170aa7c2675Fixeded71f801249d2350c77a73dca2c03918a15a62feFixed1cfa4eac275cc4875755c1303d48a4ddfe507ca8Fixedaaba523dd7b6106526c24b1fd9b5fc35e5aaa88dFixed1534ff77757e44bcc4b98d0196bc5c0052fce5fa
Linux / Kernel
Package
- Name
- Kernel
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced3.16.0Fixed5.4.302
- Type
- ECOSYSTEM
- Events
-
Introduced5.5.0Fixed5.10.247
- Type
- ECOSYSTEM
- Events
-
Introduced5.11.0Fixed5.15.197
- Type
- ECOSYSTEM
- Events
-
Introduced5.16.0Fixed6.1.159
- Type
- ECOSYSTEM
- Events
-
Introduced6.2.0Fixed6.6.117
- Type
- ECOSYSTEM
- Events
-
Introduced6.7.0Fixed6.12.59
- Type
- ECOSYSTEM
- Events
-
Introduced6.13.0Fixed6.17.9