CVE-2025-39950
📋 TL;DR
A NULL pointer dereference vulnerability exists in the Linux kernel's TCP-AO (Authentication Option) implementation when used with TCP_REPAIR mode. This causes a kernel panic (denial of service) when a specially crafted connect() system call is made on a socket with both TCP-AO keys and TCP_REPAIR enabled. Systems running affected Linux kernel versions with TCP-AO configured are vulnerable.
💻 Affected Systems
- Linux kernel
📦 What is this software?
Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →⚠️ Risk & Real-World Impact
Worst Case
Kernel panic leading to complete system crash and denial of service, requiring physical or remote console access to reboot.
Likely Case
Local denial of service affecting the specific system where the exploit is executed, potentially disrupting network services on that host.
If Mitigated
No impact if TCP-AO is not configured or TCP_REPAIR is disabled.
🎯 Exploit Status
Proof-of-concept code is included in the CVE description. Exploitation requires local access to create sockets and set socket options.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Patches available in stable kernel branches via git commits: 2e7bba08923e, 5f445eb25990, 993b734d31ab
Vendor Advisory: https://git.kernel.org/stable/c/2e7bba08923ebc675b1f0e0e0959e68e53047838
Restart Required: Yes
Instructions:
1. Update to a patched kernel version from your distribution vendor. 2. Reboot the system to load the new kernel. 3. Verify the fix by checking kernel version or testing the PoC.
🔧 Temporary Workarounds
Disable TCP-AO
linuxRemove TCP Authentication Option configuration from systems where it's not required.
# Remove TCP-AO keys: ip tcp_ao del key ID
# Check existing keys: ip tcp_ao show
Restrict TCP_REPAIR usage
linuxLimit ability to use TCP_REPAIR socket option through capabilities or access controls.
# Use capabilities: setcap -r /bin/your_application
# Or use SELinux/AppArmor to restrict socket options
🧯 If You Can't Patch
- Implement strict access controls to prevent unauthorized users from creating sockets and setting socket options.
- Monitor for unusual socket creation patterns or TCP_REPAIR usage in system logs.
🔍 How to Verify
Check if Vulnerable:
Test with the provided PoC code on a test system. If system crashes or shows kernel panic, it's vulnerable.Check Version:
uname -rVerify Fix Applied:
After patching, run the PoC code again - it should complete without crashing. Check dmesg for absence of NULL pointer dereference errors.📡 Detection & Monitoring
Log Indicators:
- Kernel panic messages in dmesg or /var/log/messages
- NULL pointer dereference errors mentioning tcp_ao_finish_connect
Network Indicators:
- Unusual TCP socket creation patterns with both TCP-AO and TCP_REPAIR
SIEM Query:
source="kernel" AND ("NULL pointer dereference" OR "tcp_ao_finish_connect" OR "Oops:")