-

CVE-2025-40281

In the Linux kernel, the following vulnerability has been resolved:

sctp: prevent possible shift-out-of-bounds in sctp_transport_update_rto

syzbot reported a possible shift-out-of-bounds [1]

Blamed commit added rto_alpha_max and rto_beta_max set to 1000.

It is unclear if some sctp users are setting very large rto_alpha
and/or rto_beta.

In order to prevent user regression, perform the test at run time.

Also add READ_ONCE() annotations as sysctl values can change under us.

[1]

UBSAN: shift-out-of-bounds in net/sctp/transport.c:509:41
shift exponent 64 is too large for 32-bit type 'unsigned int'
CPU: 0 UID: 0 PID: 16704 Comm: syz.2.2320 Not tainted syzkaller #0 PREEMPT(full)
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/02/2025
Call Trace:
 <TASK>
  __dump_stack lib/dump_stack.c:94 [inline]
  dump_stack_lvl+0x16c/0x1f0 lib/dump_stack.c:120
  ubsan_epilogue lib/ubsan.c:233 [inline]
  __ubsan_handle_shift_out_of_bounds+0x27f/0x420 lib/ubsan.c:494
  sctp_transport_update_rto.cold+0x1c/0x34b net/sctp/transport.c:509
  sctp_check_transmitted+0x11c4/0x1c30 net/sctp/outqueue.c:1502
  sctp_outq_sack+0x4ef/0x1b20 net/sctp/outqueue.c:1338
  sctp_cmd_process_sack net/sctp/sm_sideeffect.c:840 [inline]
  sctp_cmd_interpreter net/sctp/sm_sideeffect.c:1372 [inline]
Verknüpft mit AI von unstrukturierten Daten zu bestehenden CPE der NVD
Diese Information steht angemeldeten Benutzern zur Verfügung. Login Login
Daten sind bereitgestellt durch das CVE Programm von einer CVE Numbering Authority (CNA) (Unstrukturiert).
HerstellerLinux
Produkt Linux
Default Statusunaffected
Version < 0e0413e3315199b23ff4aec295e256034cd0a6e4
Version b58537a1f5629bdc98a8b9dc2051ce0e952f6b4b
Status affected
Version < 834e65be429c0fa4f9bb5945064bd57f18ed2187
Version b58537a1f5629bdc98a8b9dc2051ce0e952f6b4b
Status affected
Version < abb086b9a95d0ed3b757ee59964ba3c4e4b2fc1a
Version b58537a1f5629bdc98a8b9dc2051ce0e952f6b4b
Status affected
Version < d0d858652834dcf531342c82a0428170aa7c2675
Version b58537a1f5629bdc98a8b9dc2051ce0e952f6b4b
Status affected
Version < ed71f801249d2350c77a73dca2c03918a15a62fe
Version b58537a1f5629bdc98a8b9dc2051ce0e952f6b4b
Status affected
Version < 1cfa4eac275cc4875755c1303d48a4ddfe507ca8
Version b58537a1f5629bdc98a8b9dc2051ce0e952f6b4b
Status affected
Version < aaba523dd7b6106526c24b1fd9b5fc35e5aaa88d
Version b58537a1f5629bdc98a8b9dc2051ce0e952f6b4b
Status affected
Version < 1534ff77757e44bcc4b98d0196bc5c0052fce5fa
Version b58537a1f5629bdc98a8b9dc2051ce0e952f6b4b
Status affected
HerstellerLinux
Produkt Linux
Default Statusaffected
Version 3.16
Status affected
Version < 3.16
Version 0
Status unaffected
Version <= 5.4.*
Version 5.4.302
Status unaffected
Version <= 5.10.*
Version 5.10.247
Status unaffected
Version <= 5.15.*
Version 5.15.197
Status unaffected
Version <= 6.1.*
Version 6.1.159
Status unaffected
Version <= 6.6.*
Version 6.6.117
Status unaffected
Version <= 6.12.*
Version 6.12.59
Status unaffected
Version <= 6.17.*
Version 6.17.9
Status unaffected
Version <= *
Version 6.18
Status unaffected
Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 0.02% 0.057
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String