CVE-2025-38732 – A memory leak vulnerability in the Linux kernel... (How to Fix)

Q: What is the severity of CVE-2025-38732?

CVE-2025-38732 has a CVSS score of 5.5 (MEDIUM). A memory leak vulnerability in the Linux kernel's netfilter subsystem where loopback packets cause reference count leaks when rejected. This affects Linux systems using netfilter rules that reject packets, potentially leading to resource exhaustion. All Linux distributions with vulnerable kernel versions are affected.

📋 TL;DR

A memory leak vulnerability in the Linux kernel's netfilter subsystem where loopback packets cause reference count leaks when rejected. This affects Linux systems using netfilter rules that reject packets, potentially leading to resource exhaustion. All Linux distributions with vulnerable kernel versions are affected.

💻 Affected Systems

Products:

Linux kernel

Versions: Specific vulnerable versions not explicitly stated in CVE, but patches exist in stable kernel trees. Likely affects multiple recent kernel versions before fixes.

Operating Systems: All Linux distributions using affected kernel versions

Default Config Vulnerable: ✅ No

Notes: Requires netfilter reject rules to be configured and active. Loopback traffic must trigger these reject rules.

📦 What is this software?

Debian Linux by Debian

View all CVEs affecting Debian Linux →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Sustained exploitation could lead to kernel memory exhaustion, causing system instability, denial of service, or kernel crashes.

🟠

Likely Case

Gradual memory consumption leading to performance degradation over time, particularly on systems with heavy network traffic and reject rules.

🟢

If Mitigated

Minimal impact with proper monitoring and resource limits in place.

🌐 Internet-Facing: MEDIUM - Systems with netfilter reject rules exposed to external traffic could experience resource exhaustion.

🏢 Internal Only: LOW - Internal systems with controlled traffic patterns are less likely to trigger the condition frequently.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploitation requires ability to generate loopback traffic that triggers netfilter reject rules. No public exploit code known.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Patches available in stable kernel trees via provided git commits

Vendor Advisory: https://git.kernel.org/stable/c/51e8531371f90bee742c63775c9a568e5d6bf3c5

Restart Required: Yes

Instructions:

1. Update Linux kernel to patched version from distribution vendor. 2. Reboot system to load new kernel. 3. Verify kernel version after reboot.

🔧 Temporary Workarounds

Disable problematic netfilter reject rules

all

Remove or modify netfilter rules that reject loopback packets to prevent triggering the vulnerability

iptables -L -n -v
iptables -D [chain] [rule_number]

🧯 If You Can't Patch

Monitor system memory and kernel resource usage for unusual patterns
Implement rate limiting on loopback interface traffic

🔍 How to Verify

Check if Vulnerable:

Check kernel version against distribution security advisories. Vulnerable if using unpatched kernel with netfilter reject rules.

Check Version:

uname -r

Verify Fix Applied:

Verify kernel version matches patched version from vendor advisory. Check for absence of WARNING messages in dmesg related to skb_dst_check_unset.

📡 Detection & Monitoring

Log Indicators:

Kernel WARNING messages about skb_dst_check_unset in dmesg or /var/log/kern.log
Increasing memory usage by kernel processes

Network Indicators:

Unusual loopback traffic patterns triggering reject rules

SIEM Query:

source="kernel" AND "skb_dst_check_unset" OR "nf_reject_fill_skb_dst"

📊 Metadata

CVE ID: CVE-2025-38732

CVSS v3 Score: 5.5 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

EPSS Score: 0.01% exploit probability (2.3th percentile)

Published: September 5, 2025

Last Updated: January 9, 2026

🔗 References

https://git.kernel.org/stable/c/51e8531371f90bee742c63775c9a568e5d6bf3c5 Patch
https://git.kernel.org/stable/c/7b8b503c06274ef3c6c1a107743f1ec0d0a53ef8 Patch
https://git.kernel.org/stable/c/82ef97abf22790182f7d433c74960dfd61b99c33 Patch
https://git.kernel.org/stable/c/91a79b792204313153e1bdbbe5acbfc28903b3a5 Patch
https://git.kernel.org/stable/c/a0a3ace2a57887dac1e7c9a724846040c3e31868 Patch
https://git.kernel.org/stable/c/b32e1590a8d22cf7d7f965e46d5576051acf8e42 Patch
https://git.kernel.org/stable/c/b7a885ba25960c91db237c3f83b4285156789bce Patch
https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html Third Party Advisory,Mailing List
https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html Third Party Advisory,Mailing List

📤 Share & Export

📄 Export Markdown 📋 Export JSON