CVEFinder.io

CVE-2025-39965

⚠️ high
Summary

In the Linux kernel, the following vulnerability has been resolved: xfrm: xfrm_alloc_spi shouldn't use 0 as SPI x->id.spi == 0 means "no SPI assigned", but since commit 94f39804d891 ("xfrm: Duplicate SPI Handling"), we now create states and add them to the byspi list with this value. __xfrm_state_delete doesn't remove those states from the byspi list, since they shouldn't be there, and this shows up as a UAF the next time we go through the byspi list.

CVSS Score
7.8
High
EPSS Score
0.0
Exploit Probability
Published Date
2025-10-13
First Seen: 2026-01-05
Last Modified 2026-02-03
Source NVD 🔗
CVSS Vector 3.1 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

🔗 References 4

https://git.kernel.org/stable/c/0baf92d0b1590b903c1f...
Patch
https://git.kernel.org/stable/c/9fcedabaae0096f712bb...
Patch
https://git.kernel.org/stable/c/a78e55776522373c446f...
Patch
https://git.kernel.org/stable/c/cd8ae32e4e4652db55bc...
Patch

📦 Affected Products 13

Vendor Product Status Affected Versions
linux linux_kernel Affected
> 6.12.43 < 6.12.50
linux linux_kernel Affected
> 6.15.11 < 6.16
linux linux_kernel Affected
> 6.16.2 < 6.16.10
linux linux_kernel Affected
> 6.6.103 < 6.6.109
linux linux_kernel Affected
v6.17
linux linux Affected
≥ 3d8090bb53424432fa788fe9a49e8ceca74f0544 < 0baf92d0b1590b903c1f4ead75e61715e50e8146
linux linux Affected
≥ 6.12.43 < 6.12.50
linux linux Affected
≥ 6.16.2 < 6.16.10
linux linux Affected
≥ 6.6.103 < 6.6.109
linux linux Affected
≥ 2fc5b54368a1bf1d2d74b4d3b8eea5309a653e38 < 9fcedabaae0096f712bbb4ccca6a8538af1cd1c8
linux linux Affected
≥ 29e9158f91f99057dbd35db5e8674d93b38549fe < a78e55776522373c446f18d5002a8de4b09e6bf7
linux linux Affected
≥ 94f39804d891cffe4ce17737d295f3b195bc7299 < cd8ae32e4e4652db55bce6b9c79267d8946765a9
linux linux Affected
vc67d4e7a8f90fb6361ca89d4d5c9a28f4e935e47

🔗 Related CVEs 6

CVE ID Severity CVSS EPSS Summary Published
CVE-2025-68338 🔶 medium - 0.0 In the Linux kernel, the following vulnerability has been resolved: net: dsa: microchip: Don't free uninitialized ksz_i... 2025-12-23
CVE-2025-68339 🔶 medium - 0.0 In the Linux kernel, the following vulnerability has been resolved: atm/fore200e: Fix possible data race in fore200e_op... 2025-12-23
CVE-2025-68340 🔶 medium - 0.0 In the Linux kernel, the following vulnerability has been resolved: team: Move team device type change at the end of te... 2025-12-23
CVE-2025-68341 🔶 medium - 0.0 In the Linux kernel, the following vulnerability has been resolved: veth: reduce XDP no_direct return section to fix ra... 2025-12-23
CVE-2025-68342 🔶 medium - 0.0 In the Linux kernel, the following vulnerability has been resolved: can: gs_usb: gs_usb_receive_bulk_callback(): check ... 2025-12-23
CVE-2025-68343 🔶 medium - 0.0 In the Linux kernel, the following vulnerability has been resolved: can: gs_usb: gs_usb_receive_bulk_callback(): check ... 2025-12-23
These CVEs affect the same products