cbcvebase.
CVE-2025-38236
published 2025-07-08

CVE-2025-38236: In the Linux kernel, the following vulnerability has been resolved: af_unix: Don't leave consecutive consumed OOB skbs. Jann Horn reported a use-after-free in…

high7.8CVSS 3.1
AVLACLPRLUINSUCHIHAH
In the Linux kernel, the following vulnerability has been resolved: af_unix: Don't leave consecutive consumed OOB skbs. Jann Horn reported a use-after-free in unix_stream_read_generic(). The following sequences reproduce the issue: $ python3 from socket import * s1, s2 = socketpair(AF_UNIX, SOCK_STREAM) s1.send(b'x', MSG_OOB) s2.recv(1, MSG_OOB) # leave a consumed OOB skb s1.send(b'y', MSG_OOB) s2.recv(1, MSG_OOB) # leave a consumed OOB skb s1.send(b'z', MSG_OOB) s2.recv(1) # recv 'z' illegally s2.recv(1, MSG_OOB) # access 'z' skb (use-after-free) Even though a user reads OOB data, the skb holding the data stays on the recv queue to mark the OOB boundary and break the next recv(). After the last send() in the scenario above, the sk2's recv queue has 2 leading consumed OOB skbs and 1 real OOB skb. Then, the following happens during the next recv() without MSG_OOB 1. unix_stream_read_generic() peeks the first consumed OOB skb 2. manage_oob() returns the next consumed OOB skb 3. unix_stream_read_generic() fetches the next not-yet-consumed OOB skb 4. unix_stream_read_generic() reads and frees the OOB skb , and the last recv(MSG_OOB) triggers KASAN splat. The 3. above occurs because of the SO_PEEK_OFF code, which does not expect unix_skb_len(skb) to be 0, but this is true for such consumed OOB skbs. while (skip >= unix_skb_len(skb)) { skip -= unix_skb_len(skb); skb = skb_peek_next(skb, &sk->sk_receive_queue); ... } In addition to this use-after-free, there is another issue that ioctl(SIOCATMARK) does not function properly with consecutive consumed OOB skbs. So, nothing good comes out of such a situation. Instead of complicating manage_oob(), ioctl() handling, and the next ECONNRESET fix by introducing a loop for consecutive consumed OOB skbs, let's not leave such consecutive OOB unnecessarily. Now, while receiving an OOB skb in unix_stream_recv_urg(), if its previous skb is a consumed OOB skb, it is freed. [0]: BUG: KASAN: slab-use-after-free in unix_stre

Affected

37 ranges· showing 25
VendorProductVersion rangeFixed in
debiandebian_linux
debianlinux< linux 6.1.147-1 (bookworm)linux 6.1.147-1 (bookworm)
debianlinux-6.1< linux 6.1.147-1 (bookworm)linux 6.1.147-1 (bookworm)
googleandroid
linuxlinux
linuxlinux>= 314001f0bf927015e459c9d387d62a231fe93af3 < 523edfed4f68b7794d85b9ac828c5f8f4442e4c5523edfed4f68b7794d85b9ac828c5f8f4442e4c5
linuxlinux>= 314001f0bf927015e459c9d387d62a231fe93af3 < a12237865b48a73183df252029ff5065d73d305ea12237865b48a73183df252029ff5065d73d305e
linuxlinux>= 314001f0bf927015e459c9d387d62a231fe93af3 < fad0a2c16062ac7c606b93166a7ce9d265bab976fad0a2c16062ac7c606b93166a7ce9d265bab976
linuxlinux>= 314001f0bf927015e459c9d387d62a231fe93af3 < 61a9ad7b69ce688697e5f63332f03e17725353bc61a9ad7b69ce688697e5f63332f03e17725353bc
linuxlinux>= 314001f0bf927015e459c9d387d62a231fe93af3 < 8db4d2d026e6e3649832bfe23b96c4acff0756db8db4d2d026e6e3649832bfe23b96c4acff0756db
linuxlinux>= 314001f0bf927015e459c9d387d62a231fe93af3 < 32ca245464e1479bfea8592b9db227fdc164170532ca245464e1479bfea8592b9db227fdc1641705
linuxlinux_kernel
linuxlinux_kernel>= 0 < 6.1.147-16.1.147-1
linuxlinux_kernel>= 0 < 6.12.37-16.12.37-1
linuxlinux_kernel>= 0 < 6.12.37-16.12.37-1
linuxlinux_kernel>= 0 < 5.15.0-170.1805.15.0-170.180
linuxlinux_kernel>= 0 < 6.8.0-100.1006.8.0-100.100
linuxlinux_kernel>= 5.15 < 5.15.1945.15.194
linuxlinux_kernel>= 5.16 < 6.1.1436.1.143
linuxlinux_kernel>= 6.13 < 6.15.56.15.5
linuxlinux_kernel>= 6.2 < 6.6.966.6.96
linuxlinux_kernel>= 6.7 < 6.12.366.12.36
msrcazl3_kernel_6.6.92.2-2_on_azure_linux_3.0
msrcazl3_kernel_6.6.96.1-1_on_azure_linux_3.0
msrccbl2_kernel_5.15.186.1-1_on_cbl_mariner_2.0

CVSS provenance

nvdv3.17.8HIGHCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
osv7.8HIGH