CVE-2025-40240 (GCVE-0-2025-40240)
Vulnerability from cvelistv5 – Published: 2025-12-04 15:31 – Updated: 2026-06-16 19:41
VLAI
Title
sctp: avoid NULL dereference when chunk data buffer is missing
Summary
In the Linux kernel, the following vulnerability has been resolved:
sctp: avoid NULL dereference when chunk data buffer is missing
chunk->skb pointer is dereferenced in the if-block where it's supposed
to be NULL only.
chunk->skb can only be NULL if chunk->head_skb is not. Check for frag_list
instead and do it just before replacing chunk->skb. We're sure that
otherwise chunk->skb is non-NULL because of outer if() condition.
Severity
No CVSS data available.
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
Assigner
References
8 references
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
90017accff61ae89283ad9a51f9ac46ca01633fb , < 61cda2777b07d27459f5cac5a047c3edf9c8a1a9
(git)
Affected: 90017accff61ae89283ad9a51f9ac46ca01633fb , < 08165c296597075763130919f2aae59b5822f016 (git) Affected: 90017accff61ae89283ad9a51f9ac46ca01633fb , < 03e80a4b04ef1fb2c61dd63216ab8d3a5dcb196f (git) Affected: 90017accff61ae89283ad9a51f9ac46ca01633fb , < 4f6da435fb5d8a21cbf8cae5ca5a2ba0e1012b71 (git) Affected: 90017accff61ae89283ad9a51f9ac46ca01633fb , < cb9055ba30306ede4ad920002233d0659982f1cb (git) Affected: 90017accff61ae89283ad9a51f9ac46ca01633fb , < 7a832b0f99be19df608cb75c023f8027b1789bd1 (git) Affected: 90017accff61ae89283ad9a51f9ac46ca01633fb , < 89b465b54227c245ddc7cc9ed822231af21123ef (git) Affected: 90017accff61ae89283ad9a51f9ac46ca01633fb , < 441f0647f7673e0e64d4910ef61a5fb8f16bfb82 (git) |
|
| Linux | Linux |
Affected:
4.8
Unaffected: 0 , < 4.8 (semver) Unaffected: 5.4.301 , ≤ 5.4.* (semver) Unaffected: 5.10.246 , ≤ 5.10.* (semver) Unaffected: 5.15.196 , ≤ 5.15.* (semver) Unaffected: 6.1.158 , ≤ 6.1.* (semver) Unaffected: 6.6.115 , ≤ 6.6.* (semver) Unaffected: 6.12.56 , ≤ 6.12.* (semver) Unaffected: 6.17.6 , ≤ 6.17.* (semver) Unaffected: 6.18 , ≤ * (original_commit_for_fix) |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-40240",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-16T19:41:12.884839Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-16T19:41:24.741Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/sctp/inqueue.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "61cda2777b07d27459f5cac5a047c3edf9c8a1a9",
"status": "affected",
"version": "90017accff61ae89283ad9a51f9ac46ca01633fb",
"versionType": "git"
},
{
"lessThan": "08165c296597075763130919f2aae59b5822f016",
"status": "affected",
"version": "90017accff61ae89283ad9a51f9ac46ca01633fb",
"versionType": "git"
},
{
"lessThan": "03e80a4b04ef1fb2c61dd63216ab8d3a5dcb196f",
"status": "affected",
"version": "90017accff61ae89283ad9a51f9ac46ca01633fb",
"versionType": "git"
},
{
"lessThan": "4f6da435fb5d8a21cbf8cae5ca5a2ba0e1012b71",
"status": "affected",
"version": "90017accff61ae89283ad9a51f9ac46ca01633fb",
"versionType": "git"
},
{
"lessThan": "cb9055ba30306ede4ad920002233d0659982f1cb",
"status": "affected",
"version": "90017accff61ae89283ad9a51f9ac46ca01633fb",
"versionType": "git"
},
{
"lessThan": "7a832b0f99be19df608cb75c023f8027b1789bd1",
"status": "affected",
"version": "90017accff61ae89283ad9a51f9ac46ca01633fb",
"versionType": "git"
},
{
"lessThan": "89b465b54227c245ddc7cc9ed822231af21123ef",
"status": "affected",
"version": "90017accff61ae89283ad9a51f9ac46ca01633fb",
"versionType": "git"
},
{
"lessThan": "441f0647f7673e0e64d4910ef61a5fb8f16bfb82",
"status": "affected",
"version": "90017accff61ae89283ad9a51f9ac46ca01633fb",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/sctp/inqueue.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.8"
},
{
"lessThan": "4.8",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.301",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.246",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.196",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.158",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.115",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.56",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.6",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.301",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.246",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.196",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.158",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.115",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.56",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.6",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "4.8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nsctp: avoid NULL dereference when chunk data buffer is missing\n\nchunk-\u003eskb pointer is dereferenced in the if-block where it\u0027s supposed\nto be NULL only.\n\nchunk-\u003eskb can only be NULL if chunk-\u003ehead_skb is not. Check for frag_list\ninstead and do it just before replacing chunk-\u003eskb. We\u0027re sure that\notherwise chunk-\u003eskb is non-NULL because of outer if() condition."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T21:45:30.172Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/61cda2777b07d27459f5cac5a047c3edf9c8a1a9"
},
{
"url": "https://git.kernel.org/stable/c/08165c296597075763130919f2aae59b5822f016"
},
{
"url": "https://git.kernel.org/stable/c/03e80a4b04ef1fb2c61dd63216ab8d3a5dcb196f"
},
{
"url": "https://git.kernel.org/stable/c/4f6da435fb5d8a21cbf8cae5ca5a2ba0e1012b71"
},
{
"url": "https://git.kernel.org/stable/c/cb9055ba30306ede4ad920002233d0659982f1cb"
},
{
"url": "https://git.kernel.org/stable/c/7a832b0f99be19df608cb75c023f8027b1789bd1"
},
{
"url": "https://git.kernel.org/stable/c/89b465b54227c245ddc7cc9ed822231af21123ef"
},
{
"url": "https://git.kernel.org/stable/c/441f0647f7673e0e64d4910ef61a5fb8f16bfb82"
}
],
"title": "sctp: avoid NULL dereference when chunk data buffer is missing",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40240",
"datePublished": "2025-12-04T15:31:29.715Z",
"dateReserved": "2025-04-16T07:20:57.181Z",
"dateUpdated": "2026-06-16T19:41:24.741Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"vulnerability-lookup:meta": {
"epss": {
"cve": "CVE-2025-40240",
"date": "2026-06-18",
"epss": "0.00177",
"percentile": "0.07379"
},
"nvd": "{\"cve\":{\"id\":\"CVE-2025-40240\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2025-12-04T16:16:17.100\",\"lastModified\":\"2025-12-04T17:15:08.283\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\nsctp: avoid NULL dereference when chunk data buffer is missing\\n\\nchunk-\u003eskb pointer is dereferenced in the if-block where it\u0027s supposed\\nto be NULL only.\\n\\nchunk-\u003eskb can only be NULL if chunk-\u003ehead_skb is not. Check for frag_list\\ninstead and do it just before replacing chunk-\u003eskb. We\u0027re sure that\\notherwise chunk-\u003eskb is non-NULL because of outer if() condition.\"}],\"metrics\":{},\"references\":[{\"url\":\"https://git.kernel.org/stable/c/03e80a4b04ef1fb2c61dd63216ab8d3a5dcb196f\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/08165c296597075763130919f2aae59b5822f016\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/441f0647f7673e0e64d4910ef61a5fb8f16bfb82\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/4f6da435fb5d8a21cbf8cae5ca5a2ba0e1012b71\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/61cda2777b07d27459f5cac5a047c3edf9c8a1a9\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/7a832b0f99be19df608cb75c023f8027b1789bd1\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/89b465b54227c245ddc7cc9ed822231af21123ef\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/cb9055ba30306ede4ad920002233d0659982f1cb\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"}]}}",
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2025-40240\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-06-16T19:41:12.884839Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-06-16T19:41:19.307Z\"}}], \"cna\": {\"title\": \"sctp: avoid NULL dereference when chunk data buffer is missing\", \"affected\": [{\"repo\": \"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git\", \"vendor\": \"Linux\", \"product\": \"Linux\", \"versions\": [{\"status\": \"affected\", \"version\": \"90017accff61ae89283ad9a51f9ac46ca01633fb\", \"lessThan\": \"61cda2777b07d27459f5cac5a047c3edf9c8a1a9\", \"versionType\": \"git\"}, {\"status\": \"affected\", \"version\": \"90017accff61ae89283ad9a51f9ac46ca01633fb\", \"lessThan\": \"08165c296597075763130919f2aae59b5822f016\", \"versionType\": \"git\"}, {\"status\": \"affected\", \"version\": \"90017accff61ae89283ad9a51f9ac46ca01633fb\", \"lessThan\": \"03e80a4b04ef1fb2c61dd63216ab8d3a5dcb196f\", \"versionType\": \"git\"}, {\"status\": \"affected\", \"version\": \"90017accff61ae89283ad9a51f9ac46ca01633fb\", \"lessThan\": \"4f6da435fb5d8a21cbf8cae5ca5a2ba0e1012b71\", \"versionType\": \"git\"}, {\"status\": \"affected\", \"version\": \"90017accff61ae89283ad9a51f9ac46ca01633fb\", \"lessThan\": \"cb9055ba30306ede4ad920002233d0659982f1cb\", \"versionType\": \"git\"}, {\"status\": \"affected\", \"version\": \"90017accff61ae89283ad9a51f9ac46ca01633fb\", \"lessThan\": \"7a832b0f99be19df608cb75c023f8027b1789bd1\", \"versionType\": \"git\"}, {\"status\": \"affected\", \"version\": \"90017accff61ae89283ad9a51f9ac46ca01633fb\", \"lessThan\": \"89b465b54227c245ddc7cc9ed822231af21123ef\", \"versionType\": \"git\"}, {\"status\": \"affected\", \"version\": \"90017accff61ae89283ad9a51f9ac46ca01633fb\", \"lessThan\": \"441f0647f7673e0e64d4910ef61a5fb8f16bfb82\", \"versionType\": \"git\"}], \"programFiles\": [\"net/sctp/inqueue.c\"], \"defaultStatus\": \"unaffected\"}, {\"repo\": \"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git\", \"vendor\": \"Linux\", \"product\": \"Linux\", \"versions\": [{\"status\": \"affected\", \"version\": \"4.8\"}, {\"status\": \"unaffected\", \"version\": \"0\", \"lessThan\": \"4.8\", \"versionType\": \"semver\"}, {\"status\": \"unaffected\", \"version\": \"5.4.301\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"5.4.*\"}, {\"status\": \"unaffected\", \"version\": \"5.10.246\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"5.10.*\"}, {\"status\": \"unaffected\", \"version\": \"5.15.196\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"5.15.*\"}, {\"status\": \"unaffected\", \"version\": \"6.1.158\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"6.1.*\"}, {\"status\": \"unaffected\", \"version\": \"6.6.115\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"6.6.*\"}, {\"status\": \"unaffected\", \"version\": \"6.12.56\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"6.12.*\"}, {\"status\": \"unaffected\", \"version\": \"6.17.6\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"6.17.*\"}, {\"status\": \"unaffected\", \"version\": \"6.18\", \"versionType\": \"original_commit_for_fix\", \"lessThanOrEqual\": \"*\"}], \"programFiles\": [\"net/sctp/inqueue.c\"], \"defaultStatus\": \"affected\"}], \"references\": [{\"url\": \"https://git.kernel.org/stable/c/61cda2777b07d27459f5cac5a047c3edf9c8a1a9\"}, {\"url\": \"https://git.kernel.org/stable/c/08165c296597075763130919f2aae59b5822f016\"}, {\"url\": \"https://git.kernel.org/stable/c/03e80a4b04ef1fb2c61dd63216ab8d3a5dcb196f\"}, {\"url\": \"https://git.kernel.org/stable/c/4f6da435fb5d8a21cbf8cae5ca5a2ba0e1012b71\"}, {\"url\": \"https://git.kernel.org/stable/c/cb9055ba30306ede4ad920002233d0659982f1cb\"}, {\"url\": \"https://git.kernel.org/stable/c/7a832b0f99be19df608cb75c023f8027b1789bd1\"}, {\"url\": \"https://git.kernel.org/stable/c/89b465b54227c245ddc7cc9ed822231af21123ef\"}, {\"url\": \"https://git.kernel.org/stable/c/441f0647f7673e0e64d4910ef61a5fb8f16bfb82\"}], \"x_generator\": {\"engine\": \"bippy-1.2.0\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nsctp: avoid NULL dereference when chunk data buffer is missing\\n\\nchunk-\u003eskb pointer is dereferenced in the if-block where it\u0027s supposed\\nto be NULL only.\\n\\nchunk-\u003eskb can only be NULL if chunk-\u003ehead_skb is not. Check for frag_list\\ninstead and do it just before replacing chunk-\u003eskb. We\u0027re sure that\\notherwise chunk-\u003eskb is non-NULL because of outer if() condition.\"}], \"cpeApplicability\": [{\"nodes\": [{\"negate\": false, \"cpeMatch\": [{\"criteria\": \"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndExcluding\": \"5.4.301\", \"versionStartIncluding\": \"4.8\"}, {\"criteria\": \"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndExcluding\": \"5.10.246\", \"versionStartIncluding\": \"4.8\"}, {\"criteria\": \"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndExcluding\": \"5.15.196\", \"versionStartIncluding\": \"4.8\"}, {\"criteria\": \"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndExcluding\": \"6.1.158\", \"versionStartIncluding\": \"4.8\"}, {\"criteria\": \"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndExcluding\": \"6.6.115\", \"versionStartIncluding\": \"4.8\"}, {\"criteria\": \"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndExcluding\": \"6.12.56\", \"versionStartIncluding\": \"4.8\"}, {\"criteria\": \"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndExcluding\": \"6.17.6\", \"versionStartIncluding\": \"4.8\"}, {\"criteria\": \"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndExcluding\": \"6.18\", \"versionStartIncluding\": \"4.8\"}], \"operator\": \"OR\"}]}], \"providerMetadata\": {\"orgId\": \"416baaa9-dc9f-4396-8d5f-8c081fb06d67\", \"shortName\": \"Linux\", \"dateUpdated\": \"2026-05-11T21:45:30.172Z\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2025-40240\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-06-16T19:41:24.741Z\", \"dateReserved\": \"2025-04-16T07:20:57.181Z\", \"assignerOrgId\": \"416baaa9-dc9f-4396-8d5f-8c081fb06d67\", \"datePublished\": \"2025-12-04T15:31:29.715Z\", \"assignerShortName\": \"Linux\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
}
}
Loading…
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…