CVE-2025-39852
📋 TL;DR
A memory leak vulnerability exists in the Linux kernel's TCP-AO (Authentication Option) implementation for IPv6. When TCP connection establishment fails during authentication, the kernel fails to properly clean up socket memory, leading to resource exhaustion. This affects all Linux systems using TCP-AO with IPv6.
💻 Affected Systems
- Linux Kernel
📦 What is this software?
Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →⚠️ Risk & Real-World Impact
Worst Case
Sustained exploitation could lead to kernel memory exhaustion, causing system instability, denial of service, or potential kernel crashes.
Likely Case
Gradual memory consumption under specific TCP-AO failure conditions, potentially leading to performance degradation or service disruption over time.
If Mitigated
Minimal impact with proper monitoring and memory limits in place; systems may experience temporary performance issues during attack scenarios.
🎯 Exploit Status
Exploitation requires ability to trigger TCP-AO authentication failures on IPv6 connections; attacker needs network access to target system.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Kernel versions containing commits 3d2b356d994a8801acb397cafd28b13672c37ab5, 46d33c878fc0b3d7570366b2c9912395b3f4e701, or fa390321aba0a54d0f7ae95ee4ecde1358bb9234
Vendor Advisory: https://git.kernel.org/stable/c/3d2b356d994a8801acb397cafd28b13672c37ab5
Restart Required: Yes
Instructions:
1. Update Linux kernel to patched version from your distribution vendor. 2. Reboot system to load new kernel. 3. Verify kernel version after reboot.
🔧 Temporary Workarounds
Disable TCP-AO
LinuxIf TCP-AO authentication is not required, disable it to prevent the vulnerability from being triggered
sysctl -w net.ipv4.tcp_ao=0
sysctl -w net.ipv6.tcp_ao=0
Limit IPv6 TCP connections
LinuxImplement connection rate limiting or firewall rules to restrict IPv6 TCP connections
iptables -A INPUT -p tcp --dport [PORT] -m state --state NEW -m recent --set
iptables -A INPUT -p tcp --dport [PORT] -m state --state NEW -m recent --update --seconds 60 --hitcount 20 -j DROP
🧯 If You Can't Patch
- Disable TCP-AO authentication if not required for your use case
- Implement system monitoring for memory consumption and restart services if memory usage becomes excessive
🔍 How to Verify
Check if Vulnerable:
Check if TCP-AO is enabled: sysctl net.ipv4.tcp_ao net.ipv6.tcp_ao; check kernel version against patched versionsCheck Version:
uname -rVerify Fix Applied:
Verify kernel version includes fix commits or is newer than patched versions; confirm TCP-AO functionality works without memory leaks📡 Detection & Monitoring
Log Indicators:
- Kernel OOM (Out of Memory) messages
- System memory exhaustion warnings
- TCP connection failures with authentication errors
Network Indicators:
- Unusual TCP connection attempts with authentication options
- IPv6 TCP traffic patterns causing system resource issues
SIEM Query:
source="kernel" AND ("out of memory" OR "oom" OR "memory allocation failure") AND ("tcp" OR "socket")