CVE-2025-38727 – A race condition in the Linux kernel's netlink ... (How to Fix)

Q: What is the severity of CVE-2025-38727?

CVE-2025-38727 has a CVSS score of 5.5 (MEDIUM). A race condition in the Linux kernel's netlink subsystem can cause infinite retry loops when sending unicast messages, leading to CPU stalls and potential denial of service. This affects Linux systems using netlink sockets, particularly audit daemons (kauditd) and other netlink-based services. The vulnerability requires local access to trigger.

📋 TL;DR

A race condition in the Linux kernel's netlink subsystem can cause infinite retry loops when sending unicast messages, leading to CPU stalls and potential denial of service. This affects Linux systems using netlink sockets, particularly audit daemons (kauditd) and other netlink-based services. The vulnerability requires local access to trigger.

💻 Affected Systems

Products:

Linux Kernel

Versions: Kernel versions containing the bug introduced by restructuring commit up to fix commits

Operating Systems: All Linux distributions using affected kernel versions

Default Config Vulnerable: ⚠️ Yes

Notes: Requires netlink socket usage; audit subsystem (kauditd) is commonly affected. The vulnerability manifests when skb->truesize + sk->sk_rmem_alloc equals sk->sk_rcvbuf.

📦 What is this software?

Debian Linux by Debian

View all CVEs affecting Debian Linux →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete CPU stall on affected cores causing system unresponsiveness, requiring hard reboot to recover.

🟠

Likely Case

Audit daemon or other netlink services become unresponsive, causing audit log loss and potential service disruption.

🟢

If Mitigated

Minor performance impact on netlink communication with no service disruption.

🌐 Internet-Facing: LOW - Requires local access to trigger, not directly exploitable over network.

🏢 Internal Only: MEDIUM - Local users or processes can trigger CPU stalls affecting system stability.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Requires precise timing conditions to trigger the race condition. Local access needed to create netlink sockets and trigger the edge case.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Fixed in kernel commits: 346c820ef5135cf062fa3473da955ef8c5fb6929, 44ddd7b1ae0b7edb2c832eb16798c827a05e58f0, 47d49fd07f86d1f55ea1083287303d237e9e0922, 6bee383ff83352a693d03efdf27cdd80742f71b2, 759dfc7d04bab1b0b86113f1164dc1fec192b859

Vendor Advisory: https://git.kernel.org/stable/c/346c820ef5135cf062fa3473da955ef8c5fb6929

Restart Required: Yes

Instructions:

1. Update to a kernel version containing the fix commits. 2. Check your distribution's security advisories for backported patches. 3. Reboot the system after kernel update.

🔧 Temporary Workarounds

Disable audit subsystem

Linux

Temporarily disable the audit daemon to prevent kauditd from triggering the vulnerability

systemctl stop auditd
systemctl disable auditd

Limit netlink socket usage

Linux

Restrict applications from creating netlink sockets via security modules

# Configure SELinux/AppArmor to restrict netlink socket creation

🧯 If You Can't Patch

Monitor system logs for RCU stall warnings and CPU usage spikes
Implement strict access controls to limit local users who can create netlink sockets

🔍 How to Verify

Check if Vulnerable:

Check kernel version and if it contains the vulnerable code between the bug introduction and fix commits

Check Version:

uname -r

Verify Fix Applied:

Verify kernel version includes one of the fix commits: grep -q '346c820ef5135cf062fa3473da955ef8c5fb6929\|44ddd7b1ae0b7edb2c832eb16798c827a05e58f0\|47d49fd07f86d1f55ea1083287303d237e9e0922\|6bee383ff83352a693d03efdf27cdd80742f71b2\|759dfc7d04bab1b0b86113f1164dc1fec192b859' /proc/version

📡 Detection & Monitoring

Log Indicators:

RCU stall warnings in kernel logs: 'rcu: INFO: rcu_sched self-detected stall on CPU'
High CPU usage by kauditd or netlink processes
Kernel backtraces showing netlink_attachskb or netlink_unicast

Network Indicators:

No network indicators - local vulnerability only

SIEM Query:

source="kernel" AND "rcu_sched self-detected stall" OR "netlink_attachskb"

📊 Metadata

CVE ID: CVE-2025-38727

CVSS v3 Score: 5.5 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-835

EPSS Score: 0.01% exploit probability (0.8th percentile)

Published: September 4, 2025

Last Updated: January 8, 2026

🔗 References

https://git.kernel.org/stable/c/346c820ef5135cf062fa3473da955ef8c5fb6929 Patch
https://git.kernel.org/stable/c/44ddd7b1ae0b7edb2c832eb16798c827a05e58f0 Patch
https://git.kernel.org/stable/c/47d49fd07f86d1f55ea1083287303d237e9e0922 Patch
https://git.kernel.org/stable/c/6bee383ff83352a693d03efdf27cdd80742f71b2 Patch
https://git.kernel.org/stable/c/759dfc7d04bab1b0b86113f1164dc1fec192b859 Patch
https://git.kernel.org/stable/c/78fcd69d55c5f11d7694c547eca767a1cfd38ec4 Patch
https://git.kernel.org/stable/c/d42b71a34f6b8a2d5c53df81169b03b8d8b5cf4e Patch
https://git.kernel.org/stable/c/e8edc7de688791a337c068693f22e8d8b869df71 Patch
https://git.kernel.org/stable/c/f324959ad47e62e3cadaffa65d3cff790fb48529 Patch
https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html Third Party Advisory,Mailing List
https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html Third Party Advisory,Mailing List

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-38727, you might also want to check these: