CVE-2025-38639
📋 TL;DR
This CVE describes a kernel memory corruption vulnerability in the Linux netfilter subsystem's xt_nfacct module. The vulnerability occurs when the module incorrectly assumes that an accounting name string is null-terminated, leading to potential out-of-bounds memory reads. This affects Linux systems using netfilter with the nfacct match extension.
💻 Affected Systems
- Linux kernel
📦 What is this software?
Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →⚠️ Risk & Real-World Impact
Worst Case
Kernel panic or system crash due to out-of-bounds memory access, potentially leading to denial of service or information disclosure of kernel memory contents.
Likely Case
System instability or crash when specific netfilter rules with malformed nfacct names are processed, resulting in denial of service.
If Mitigated
Minimal impact if systems don't use the affected xt_nfacct module or have proper kernel hardening protections enabled.
🎯 Exploit Status
Exploitation requires CAP_NET_ADMIN privileges or local access to manipulate netfilter rules. The vulnerability is a read-only out-of-bounds access, limiting exploitation potential.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Multiple stable kernel versions with commits: 58004aa21e79, 58007fc7b94f, 66d41268ede1, 7c1ae471da69, b10cfa2de13d
Vendor Advisory: https://git.kernel.org/stable/c/58004aa21e79addaf41667bfe65e93ec51653f18
Restart Required: Yes
Instructions:
1. Update Linux kernel to patched version from your distribution vendor. 2. Reboot system to load new kernel. 3. Verify kernel version matches patched release.
🔧 Temporary Workarounds
Disable xt_nfacct module
LinuxUnload the vulnerable kernel module if not required
rmmod xt_nfacct
echo 'blacklist xt_nfacct' > /etc/modprobe.d/disable-nfacct.conf
Restrict CAP_NET_ADMIN
LinuxLimit which users/processes can manipulate netfilter rules
setcap -r /path/to/binary cap_net_admin
Use security modules like SELinux/AppArmor to restrict netfilter access
🧯 If You Can't Patch
- Ensure only trusted users have CAP_NET_ADMIN capabilities
- Monitor system logs for kernel panic or KASAN error messages related to netfilter
🔍 How to Verify
Check if Vulnerable:
Check if xt_nfacct module is loaded: lsmod | grep nfacctCheck Version:
uname -rVerify Fix Applied:
Check kernel version against patched releases from your distribution, verify module is not loaded or system is updated📡 Detection & Monitoring
Log Indicators:
- Kernel panic messages
- KASAN error reports mentioning xt_nfacct or nfacct_mt_checkentry
- System crash/reboot logs
Network Indicators:
- Unusual netfilter rule modifications
- Failed netfilter rule additions
SIEM Query:
source="kernel" AND ("KASAN" OR "slab-out-of-bounds" OR "xt_nfacct" OR "nfacct_mt_checkentry")🔗 References
- https://git.kernel.org/stable/c/58004aa21e79addaf41667bfe65e93ec51653f18
- https://git.kernel.org/stable/c/58007fc7b94fb2702000045ff401eb7f5bde7828
- https://git.kernel.org/stable/c/66d41268ede1e1b6e71ba28be923397ff0b2b9c3
- https://git.kernel.org/stable/c/7c1ae471da69c09242834e956218ea6a42dd405a
- https://git.kernel.org/stable/c/b10cfa2de13d28ddd03210eb234422b7ec92725a
- https://git.kernel.org/stable/c/bf58e667af7d96c8eb9411f926a0a0955f41ce21
- https://git.kernel.org/stable/c/df13c9c6ce1d55c31d1bd49db65a7fbbd86aab13
- https://git.kernel.org/stable/c/e021a1eee196887536a6630c5492c23a4c78d452
- https://git.kernel.org/stable/c/e18939176e657a3a20bfbed357b8c55a9f82aba3
- https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html
- https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html
