Login Sign Up

CVE-2025-39812

5.5 MEDIUM

📋 TL;DR

This CVE describes an uninitialized memory vulnerability in the Linux kernel's SCTP IPv6 implementation. When sin6_scope_id and sin6_flowinfo fields are not properly cleared in sctp_v6_from_sk(), it can lead to undefined behavior during address comparison operations. This affects systems running vulnerable Linux kernel versions with SCTP IPv6 functionality enabled.

💻 Affected Systems

Products:
  • Linux kernel
Versions: Specific vulnerable kernel versions referenced in the git commits (exact range depends on distribution backports)
Operating Systems: Linux distributions using affected kernel versions
Default Config Vulnerable: ✅ No
Notes: Only vulnerable if SCTP IPv6 support is compiled into the kernel and being used. Many distributions don't enable SCTP by default.

📦 What is this software?

Debian Linux by Debian

View all CVEs affecting Debian Linux →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Kernel panic or system crash due to undefined behavior from uninitialized memory access, potentially causing denial of service.

🟠

Likely Case

System instability, crashes, or unpredictable behavior during SCTP IPv6 operations, particularly when binding or listening on sockets.

🟢

If Mitigated

Minor performance impact or no noticeable effect if SCTP IPv6 is not used or the vulnerability is not triggered.

🌐 Internet-Facing: MEDIUM - Systems with SCTP IPv6 services exposed to the network could experience service disruption if exploited.
🏢 Internal Only: LOW - Internal systems using SCTP IPv6 might experience instability, but exploitation requires specific conditions.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: MEDIUM

Exploitation requires triggering the specific code path through SCTP IPv6 socket operations. Found by syzbot fuzzer.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Kernel versions containing commits: 17d6c7747045e9b802c2f5dfaba260d309d831ae, 1bbc0c02aea1f1c405bd1271466889c25a1fe01b, 2e8750469242cad8f01f320131fd5a6f540dbb99, 45e4b36593edffb7bbee5828ae820bc10a9fa0f3, 463aa96fca6209bb205f49f7deea3817d7ddaa3a

Vendor Advisory: https://git.kernel.org/stable/c/17d6c7747045e9b802c2f5dfaba260d309d831ae

Restart Required: Yes

Instructions:

1. Update Linux kernel to patched version from your distribution. 2. Reboot system to load new kernel. 3. Verify kernel version after reboot.

🔧 Temporary Workarounds

Disable SCTP IPv6

Linux

Disable SCTP IPv6 support if not required

echo 'install sctp /bin/true' >> /etc/modprobe.d/disable-sctp.conf
rmmod sctp 2>/dev/null || true

🧯 If You Can't Patch

  • Disable SCTP module entirely if not needed
  • Restrict SCTP socket operations to trusted processes only

🔍 How to Verify

Check if Vulnerable:

Check if SCTP IPv6 is enabled and kernel version matches affected range: lsmod | grep sctp && uname -r

Check Version:

uname -r

Verify Fix Applied:

Verify kernel version is updated beyond vulnerable commits and SCTP functions work without crashes

📡 Detection & Monitoring

Log Indicators:

  • Kernel panic logs
  • System crash dumps
  • SCTP-related error messages in dmesg

Network Indicators:

  • Unexpected SCTP connection failures
  • SCTP service unavailability

SIEM Query:

source="kernel" AND ("panic" OR "Oops" OR "BUG") AND ("sctp" OR "SCTP")

📊 Metadata

CVE ID: CVE-2025-39812
CVSS v3 Score: 5.5 (MEDIUM)
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
CWE: CWE-908
EPSS Score: 0.01% exploit probability (1th percentile)
Published: September 16, 2025
Last Updated: January 16, 2026

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-39812, you might also want to check these:

CVE-2021-26305 9.8

CVE-2021-26305 is a deserialization vulnerability in the cdr crate for Rust that allows a malicious ...

Same vulnerability type (CWE-908)
CVE-2020-36443 9.8

This vulnerability in libp2p-deflate crate for Rust allows reading uninitialized memory due to passi...

Same vulnerability type (CWE-908)
CVE-2020-36452 9.8

This vulnerability in the array-tools Rust crate allows attackers to cause memory corruption by expl...

Same vulnerability type (CWE-908)