CVE-2025-38181 – A NULL pointer dereference vulnerability in the... (How to Fix)

Q: What is the severity of CVE-2025-38181?

CVE-2025-38181 has a CVSS score of 5.5 (MEDIUM). A NULL pointer dereference vulnerability in the Linux kernel's CALIPSO subsystem allows denial-of-service attacks when SYN cookies are enabled. The vulnerability occurs when CALIPSO-labeled connections attempt to use SYN cookies during TCP SYN flood protection, causing kernel crashes. Systems using CALIPSO/IPv6 labeling with SYN cookies enabled are affected.

📋 TL;DR

A NULL pointer dereference vulnerability in the Linux kernel's CALIPSO subsystem allows denial-of-service attacks when SYN cookies are enabled. The vulnerability occurs when CALIPSO-labeled connections attempt to use SYN cookies during TCP SYN flood protection, causing kernel crashes. Systems using CALIPSO/IPv6 labeling with SYN cookies enabled are affected.

💻 Affected Systems

Products:

Linux kernel

Versions: Linux kernel versions from commit a1a5344ddbe8 (v4.1+) to patches addressing CVE-2025-38181

Operating Systems: Linux distributions using affected kernel versions

Default Config Vulnerable: ✅ No

Notes: Requires CALIPSO/IPv6 labeling enabled and SYN cookies active (typically during SYN flood conditions). Most default configurations are not vulnerable.

📦 What is this software?

Debian Linux by Debian

View all CVEs affecting Debian Linux →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Kernel panic leading to system crash and complete denial of service, potentially requiring physical reboot of affected systems.

🟠

Likely Case

System instability and crashes when SYN cookies are triggered on CALIPSO-enabled interfaces, causing service disruption.

🟢

If Mitigated

Limited impact if SYN cookies are disabled or CALIPSO labeling is not used; systems would experience normal SYN flood protection without crashes.

🌐 Internet-Facing: MEDIUM - Requires specific CALIPSO/IPv6 configuration and SYN cookie triggering, but could be exploited by flooding SYN packets.

🏢 Internal Only: LOW - Internal systems less likely to have CALIPSO enabled and SYN flood conditions.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

syzkaller fuzzer discovered and can reproduce the issue. Exploitation requires sending SYN packets to trigger SYN cookie response on CALIPSO-enabled ports.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Patches available in stable kernel trees (commits 058dd4a370f23a5553a9449f2db53d5bfa88d45e, 10876da918fa1aec0227fb4c67647513447f53a9, 956f1499412ed0953f6a116df7fdb855e9f1fc66, 988edde4d52d5c02ea4dd95d7619372a5e2fb7b7, bde8833eb075ba8e8674de88e32de6b669966451)

Vendor Advisory: https://git.kernel.org/stable/c/058dd4a370f23a5553a9449f2db53d5bfa88d45e

Restart Required: Yes

Instructions:

1. Update to patched kernel version from your distribution vendor. 2. Reboot system to load new kernel. 3. Verify kernel version with 'uname -r'.

🔧 Temporary Workarounds

Disable SYN cookies

linux

Prevents SYN cookie generation, eliminating the vulnerability trigger but reducing SYN flood protection.

sysctl -w net.ipv4.tcp_syncookies=0
sysctl -w net.ipv6.tcp_syncookies=0

Disable CALIPSO/IPv6 labeling

linux

Removes the vulnerable code path by disabling CALIPSO labeling.

Check if CALIPSO is enabled in kernel config and disable if not needed

🧯 If You Can't Patch

Implement network-level SYN flood protection (firewalls, load balancers) to reduce reliance on kernel SYN cookies
Monitor for SYN flood conditions and temporarily disable affected services during attacks

🔍 How to Verify

Check if Vulnerable:

Check kernel version and if CALIPSO is enabled: 'uname -r' and check /proc/net/calipso or kernel config for CONFIG_NETLABEL and CONFIG_NETWORK_SECMARK

Check Version:

uname -r

Verify Fix Applied:

Verify kernel version is patched and test with syzkaller reproducer or attempt to trigger SYN cookies on CALIPSO ports

📡 Detection & Monitoring

Log Indicators:

Kernel panic messages mentioning calipso_req_setattr or sock_omalloc
SYN cookie warnings in dmesg: 'Possible SYN flooding'

Network Indicators:

High volume of SYN packets to CALIPSO-enabled ports
Sudden service disruption on IPv6 CALIPSO services

SIEM Query:

source="kernel" AND ("calipso_req_setattr" OR "sock_omalloc" OR "SYN flooding")

📊 Metadata

CVE ID: CVE-2025-38181

CVSS v3 Score: 5.5 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-476

EPSS Score: 0.03% exploit probability (8.7th percentile)

Published: July 4, 2025

Last Updated: December 18, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-38181, you might also want to check these: