CVE-2025-38622
📋 TL;DR
A kernel panic vulnerability in the Linux kernel's UDP processing allows remote attackers to crash affected systems by sending specially crafted UDP packets with UFO (UDP Fragmentation Offload) segmentation. This affects Linux systems using tun devices with virtio_net_hdr and UDP_ENCAP_ESPINUDP encapsulation. The vulnerability can be triggered remotely without authentication.
💻 Affected Systems
- Linux kernel
📦 What is this software?
Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →⚠️ Risk & Real-World Impact
Worst Case
Remote kernel panic leading to complete system crash and denial of service, potentially affecting multiple systems if exploited at scale.
Likely Case
Targeted denial of service attacks against vulnerable Linux servers, causing service disruption and potential data loss from unsaved operations.
If Mitigated
No impact if systems are patched or don't use the specific tun device configuration with UDP encapsulation.
🎯 Exploit Status
Exploitation requires knowledge of specific system configuration and ability to send crafted UDP packets. The vulnerability is in the kernel's UDP processing path, making it accessible to remote attackers with network access to vulnerable systems.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Fixed in kernel commits: 0c639c6479ec, 0d45954034f8, 4c1022220b1b, 72f97d3cb791, 791f32c5eab3 (backported to stable branches)
Vendor Advisory: https://git.kernel.org/stable/c/0c639c6479ec4480372901a5fc566f7588cf5522
Restart Required: Yes
Instructions:
1. Update Linux kernel to patched version from your distribution vendor. 2. Check distribution security advisories for specific version numbers. 3. Reboot system after kernel update to load new kernel.
🔧 Temporary Workarounds
Disable UFO on tun interfaces
LinuxDisable UDP Fragmentation Offload on tun devices to prevent triggering the vulnerability
ethtool -K <tun_interface> ufo off
Disable UDP_ENCAP_ESPINUDP encapsulation
LinuxRemove UDP encapsulation configuration if not required
Check and modify application configurations using UDP_ENCAP_ESPINUDP
🧯 If You Can't Patch
- Implement network filtering to block UDP packets with suspicious fragmentation patterns
- Isolate systems using tun devices with UDP encapsulation from untrusted networks
🔍 How to Verify
Check if Vulnerable:
Check kernel version and if tun devices with UFO and UDP_ENCAP_ESPINUDP are configured. Use: uname -r and check /proc/net/tunCheck Version:
uname -rVerify Fix Applied:
Verify kernel version is patched and check that UFO packets are dropped in udp_rcv_segment() via kernel logs📡 Detection & Monitoring
Log Indicators:
- Kernel panic messages mentioning skb_pull_rcsum or udp_queue_rcv_one_skb
- System crash/reboot logs
- OOM killer activity following crashes
Network Indicators:
- UDP packets with malformed fragmentation to systems with tun interfaces
- Sudden increase in UDP traffic to specific ports using encapsulation
SIEM Query:
source="kernel" AND ("skb_pull_rcsum" OR "udp_queue_rcv_one_skb" OR "kernel BUG at net/core/skbuff.c")🔗 References
- https://git.kernel.org/stable/c/0c639c6479ec4480372901a5fc566f7588cf5522
- https://git.kernel.org/stable/c/0d45954034f8edd6d4052e0190d3d6335c37e4de
- https://git.kernel.org/stable/c/4c1022220b1b6fea802175e80444923a3bbf93a5
- https://git.kernel.org/stable/c/72f97d3cb791e26492236b2be7fd70d2c6222555
- https://git.kernel.org/stable/c/791f32c5eab33ca3a153f8f6f763aa0df1ddc320
- https://git.kernel.org/stable/c/c0ec2e47f1e92d69b42b17a4a1e543256778393e
- https://git.kernel.org/stable/c/d46e51f1c78b9ab9323610feb14238d06d46d519
- https://git.kernel.org/stable/c/df6ad849d59256dcc0e2234844ef9f0daf885f5c
- https://git.kernel.org/stable/c/fc45b3f9599b657d4a64bcf423d2a977b3e13a49
- https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html
- https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html
