{"resultsPerPage":1,"startIndex":0,"totalResults":1,"format":"NVD_CVE","version":"2.0","timestamp":"2026-04-29T08:11:43.773","vulnerabilities":[{"cve":{"id":"CVE-2025-38154","sourceIdentifier":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","published":"2025-07-03T09:15:30.363","lastModified":"2025-12-18T21:09:23.377","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nbpf, sockmap: Avoid using sk_socket after free when sending\n\nThe sk->sk_socket is not locked or referenced in backlog thread, and\nduring the call to skb_send_sock(), there is a race condition with\nthe release of sk_socket. All types of sockets(tcp/udp/unix/vsock)\nwill be affected.\n\nRace conditions:\n'''\nCPU0                               CPU1\n\nbacklog::skb_send_sock\n  sendmsg_unlocked\n    sock_sendmsg\n      sock_sendmsg_nosec\n                                   close(fd):\n                                     ...\n                                     ops->release() -> sock_map_close()\n                                     sk_socket->ops = NULL\n                                     free(socket)\n      sock->ops->sendmsg\n            ^\n            panic here\n'''\n\nThe ref of psock become 0 after sock_map_close() executed.\n'''\nvoid sock_map_close()\n{\n    ...\n    if (likely(psock)) {\n    ...\n    // !! here we remove psock and the ref of psock become 0\n    sock_map_remove_links(sk, psock)\n    psock = sk_psock_get(sk);\n    if (unlikely(!psock))\n        goto no_psock; <=== Control jumps here via goto\n        ...\n        cancel_delayed_work_sync(&psock->work); <=== not executed\n        sk_psock_put(sk, psock);\n        ...\n}\n'''\n\nBased on the fact that we already wait for the workqueue to finish in\nsock_map_close() if psock is held, we simply increase the psock\nreference count to avoid race conditions.\n\nWith this patch, if the backlog thread is running, sock_map_close() will\nwait for the backlog thread to complete and cancel all pending work.\n\nIf no backlog running, any pending work that hasn't started by then will\nfail when invoked by sk_psock_get(), as the psock reference count have\nbeen zeroed, and sk_psock_drop() will cancel all jobs via\ncancel_delayed_work_sync().\n\nIn summary, we require synchronization to coordinate the backlog thread\nand close() thread.\n\nThe panic I catched:\n'''\nWorkqueue: events sk_psock_backlog\nRIP: 0010:sock_sendmsg+0x21d/0x440\nRAX: 0000000000000000 RBX: ffffc9000521fad8 RCX: 0000000000000001\n...\nCall Trace:\n <TASK>\n ? die_addr+0x40/0xa0\n ? exc_general_protection+0x14c/0x230\n ? asm_exc_general_protection+0x26/0x30\n ? sock_sendmsg+0x21d/0x440\n ? sock_sendmsg+0x3e0/0x440\n ? __pfx_sock_sendmsg+0x10/0x10\n __skb_send_sock+0x543/0xb70\n sk_psock_backlog+0x247/0xb80\n...\n'''"},{"lang":"es","value":"En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: bpf, sockmap: Evite usar sk_socket después de liberar al enviar El sk-&gt;sk_socket no está bloqueado o referenciado en el hilo del backlog, y durante la llamada a skb_send_sock(), hay una condición de ejecución con la liberación de sk_socket. Todos los tipos de sockets (tcp/udp/unix/vsock) se verán afectados. Condiciones de ejecuciones: ''' CPU0 CPU1 backlog::skb_send_sock sendmsg_unlocked sock_sendmsg sock_sendmsg_nosec close(fd): ... ops-&gt;release() -&gt; sock_map_close() sk_socket-&gt;ops = NULL free(socket) sock-&gt;ops-&gt;sendmsg ^ pánico aquí ''' La referencia de psock se convierte en 0 después de ejecutar sock_map_close(). ''' void sock_map_close() { ... if (likely(psock)) { ... // !! aquí eliminamos psock y la referencia de psock se convierte en 0 sock_map_remove_links(sk, psock) psock = sk_psock_get(sk); if (unlikely(!psock)) goto no_psock; &lt;=== El control salta aquí mediante goto ... cancel_delayed_work_sync(&amp;psock-&gt;work); &lt;=== no se ejecuta sk_psock_put(sk, psock); ... } ''' Basándonos en el hecho de que ya esperamos a que finalice la cola de trabajo en sock_map_close() si psock está retenido, simplemente aumentamos el recuento de referencias de psock para evitar condiciones de ejecución. Con este parche, si el hilo de la lista de tareas pendientes se está ejecutando, sock_map_close() esperará a que se complete el hilo de la lista de tareas pendientes y cancelará todo el trabajo pendiente. Si no hay trabajos pendientes en ejecución, cualquier trabajo pendiente que no haya comenzado para entonces fallará al ser invocado por sk_psock_get(), ya que el recuento de referencias de psock se ha puesto a cero, y sk_psock_drop() cancelará todos los trabajos mediante cancel_delayed_work_sync(). En resumen, necesitamos sincronización para coordinar el hilo de trabajo pendiente y el hilo de cierre. El pánico que me entró: ''' Workqueue: events sk_psock_backlog RIP: 0010:sock_sendmsg+0x21d/0x440 RAX: 0000000000000000 RBX: ffffc9000521fad8 RCX: 0000000000000001 ... Call Trace:  ? die_addr+0x40/0xa0 ? exc_general_protection+0x14c/0x230 ? asm_exc_general_protection+0x26/0x30 ? sock_sendmsg+0x21d/0x440 ? sock_sendmsg+0x3e0/0x440 ? __pfx_sock_sendmsg+0x10/0x10 __skb_send_sock+0x543/0xb70 sk_psock_backlog+0x247/0xb80 ... ''' "}],"metrics":{"cvssMetricV31":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","baseScore":7.8,"baseSeverity":"HIGH","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":1.8,"impactScore":5.9}]},"weaknesses":[{"source":"nvd@nist.gov","type":"Primary","description":[{"lang":"en","value":"CWE-416"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.15.162","versionEndExcluding":"5.15.186","matchCriteriaId":"D435B53D-0FAA-4FE8-A253-D3BB51FB33D6"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.1.95","versionEndExcluding":"6.1.142","matchCriteriaId":"09E3982E-A817-487E-AF93-05C0CE745E45"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.6.35","versionEndExcluding":"6.6.94","matchCriteriaId":"B5F01BA1-187F-4D06-B1A6-D43397B8DEBD"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.9.6","versionEndExcluding":"6.10","matchCriteriaId":"AEE76B76-CD40-4103-8E82-768D583AB8A8"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.10.1","versionEndExcluding":"6.12.34","matchCriteriaId":"FB4B0709-0132-4A32-8703-77BDD84FDF62"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.13","versionEndExcluding":"6.15.3","matchCriteriaId":"0541C761-BD5E-4C1A-8432-83B375D7EB92"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:6.10:-:*:*:*:*:*:*","matchCriteriaId":"9EA80796-744E-45F5-8632-2AB4F7889FCD"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:6.10:rc2:*:*:*:*:*:*","matchCriteriaId":"331C2F14-12C7-45D5-893D-8C52EE38EA10"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:6.10:rc3:*:*:*:*:*:*","matchCriteriaId":"3173713D-909A-4DD3-9DD4-1E171EB057EE"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:6.10:rc4:*:*:*:*:*:*","matchCriteriaId":"79F18AFA-40F7-43F0-BA30-7BDB65F918B9"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:6.10:rc5:*:*:*:*:*:*","matchCriteriaId":"BD973AA4-A789-49BD-8D57-B2846935D3C7"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:6.10:rc6:*:*:*:*:*:*","matchCriteriaId":"8F3E9E0C-AC3E-4967-AF80-6483E8AB0078"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:6.10:rc7:*:*:*:*:*:*","matchCriteriaId":"11AF4CB9-F697-4EA4-8903-8F9417EFDA8E"}]}]},{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*","matchCriteriaId":"FA6FEEC2-9F11-4643-8827-749718254FED"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/15c0250dae3b48a398447d2b364603821ed4ed90","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/4c6fa65ab2aec7df94809478c8d28ef38676a1b7","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/4edb40b05cb6a261775abfd8046804ca139a5546","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/7c0a16f6ea2b1c82a03bccd5d1bdb4a7bbd4d987","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/8259eb0e06d8f64c700f5fbdb28a5c18e10de291","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/b19cbf0b9a91f5a0d93fbcd761ff71c48ab40ed9","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html","source":"af854a3a-2127-422b-91ae-364da2661108","tags":["Third Party Advisory"]}]}}]}