CVE-2025-38150
📋 TL;DR
A race condition vulnerability in the Linux kernel's AF_PACKET socket implementation allows a local attacker to trigger a deadlock when unregistering network devices. This affects Linux systems where users have CAP_NET_RAW capability or can create raw sockets. The vulnerability can cause kernel panics or system hangs.
💻 Affected Systems
- Linux kernel
📦 What is this software?
Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →⚠️ Risk & Real-World Impact
Worst Case
Local denial of service causing kernel panic or system hang requiring physical reboot.
Likely Case
Local denial of service affecting network functionality on the affected system.
If Mitigated
Minimal impact if users lack CAP_NET_RAW capability and raw socket creation is restricted.
🎯 Exploit Status
Exploitation requires local access and specific timing conditions. Discovered via syzkaller fuzzing.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Kernel commits 2dd4781c5af99415ebbd2f7cc763feb109863c05 and d8d85ef0a631df9127f202e6371bb33a0b589952
Vendor Advisory: https://git.kernel.org/stable/c/2dd4781c5af99415ebbd2f7cc763feb109863c05
Restart Required: Yes
Instructions:
1. Update Linux kernel to version containing the fix commits. 2. Check with your distribution for backported patches. 3. Reboot system after kernel update.
🔧 Temporary Workarounds
Restrict raw socket creation
linuxPrevent non-privileged users from creating raw sockets that could trigger the vulnerability
sysctl -w net.ipv4.raw_l3_skb_accept=0
sysctl -w net.ipv6.raw_l3_skb_accept=0
Remove CAP_NET_RAW capability
linuxRemove CAP_NET_RAW from users and processes that don't require it
setcap -r /path/to/binary
capsh --drop=cap_net_raw -- -c "your_command"
🧯 If You Can't Patch
- Restrict raw socket creation to privileged users only
- Implement strict capability management to remove CAP_NET_RAW where not needed
🔍 How to Verify
Check if Vulnerable:
Check kernel version and compare with distribution's patched versions. Vulnerable if using kernel before fix commits.Check Version:
uname -rVerify Fix Applied:
Verify kernel version includes the fix commits: 2dd4781c5af99415ebbd2f7cc763feb109863c05 or d8d85ef0a631df9127f202e6371bb33a0b589952📡 Detection & Monitoring
Log Indicators:
- Kernel panic logs
- System hang/crash reports
- RCU stall warnings in dmesg
Network Indicators:
- Sudden loss of network connectivity on local system
SIEM Query:
Search for: kernel panic, RCU stall, or system crash events following network device operations