CVE-2025-38165
📋 TL;DR
A race condition in the Linux kernel's BPF sockmap subsystem can cause a kernel panic when processing large network packets. This vulnerability affects systems running vulnerable Linux kernel versions with BPF sockmap enabled, potentially leading to denial of service. The issue occurs when skb_linearize() is called on a shared socket buffer (skb) that hasn't been properly reference counted.
💻 Affected Systems
- Linux kernel
📦 What is this software?
Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →⚠️ Risk & Real-World Impact
Worst Case
Kernel panic leading to system crash and complete denial of service, requiring physical or remote reboot.
Likely Case
System instability or crash when processing large network packets through BPF sockmap, causing service disruption.
If Mitigated
Minor performance impact from the fix, but no security or stability issues.
🎯 Exploit Status
The provided benchmark command demonstrates exploitation. Requires ability to configure BPF sockmap programs and send large packets, typically needing root or CAP_BPF privileges.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Kernel versions with commits 3d25fa2d7f127348c818e1dab9e58534f7ac56cc through db1d15a26f21f97459508c42ae87cabe8d3afc3b
Vendor Advisory: https://git.kernel.org/stable/c/3d25fa2d7f127348c818e1dab9e58534f7ac56cc
Restart Required: Yes
Instructions:
1. Identify your kernel version with 'uname -r'. 2. Check if your distribution has released security updates. 3. Update kernel packages via your package manager (apt, yum, dnf, etc.). 4. Reboot the system to load the new kernel.
🔧 Temporary Workarounds
Disable BPF sockmap
linuxPrevent the vulnerable code path by disabling BPF sockmap functionality
sysctl -w net.core.bpf_sockmap=0
echo 0 > /proc/sys/net/core/bpf_sockmap
Limit packet sizes
linuxConfigure network interfaces or applications to avoid packets larger than MAX_MSG_FRAGS
iptables -A INPUT -p tcp -m length --length 100000: -j DROP
Configure application MTU settings
🧯 If You Can't Patch
- Disable BPF sockmap functionality system-wide
- Implement network filtering to block packets larger than 100KB that could trigger the vulnerability
🔍 How to Verify
Check if Vulnerable:
Check kernel version and if BPF sockmap is enabled: 'uname -r' and 'sysctl net.core.bpf_sockmap'Check Version:
uname -rVerify Fix Applied:
Verify kernel version is patched and test with the benchmark command: './bench sockmap -c 2 -p 1 -a --rx-verdict-ingress --rx-strp 100000' should not cause panic📡 Detection & Monitoring
Log Indicators:
- Kernel panic messages mentioning 'skb_linearize' or 'pskb_expand_head'
- Workqueue: events sk_psock_backlog in crash logs
- BUG at net/core/skbuff.c:2178
Network Indicators:
- Large packet bursts (100KB+) to systems with BPF sockmap enabled
- Abnormal TCP connection resets after large data transfers
SIEM Query:
event.category:kernel AND (message:"skb_linearize" OR message:"pskb_expand_head" OR message:"sk_psock_backlog")🔗 References
- https://git.kernel.org/stable/c/3d25fa2d7f127348c818e1dab9e58534f7ac56cc
- https://git.kernel.org/stable/c/4dba44333a11522df54b49aa1f2edfaf6ce35fc7
- https://git.kernel.org/stable/c/5ca2e29f6834c64c0e5a9ccf1278c21fb49b827e
- https://git.kernel.org/stable/c/9718ba6490732dbe70190d42c21deb1440834402
- https://git.kernel.org/stable/c/db1d15a26f21f97459508c42ae87cabe8d3afc3b
- https://git.kernel.org/stable/c/e9c1299d813fc04668042690f2c3cc76d013959a
- https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html
