Action not permitted
Modal body text goes here.
Modal Title
Modal Body
alsa-2025:21931
Vulnerability from osv_almalinux
Published
2025-11-24 00:00
Modified
2025-12-05 08:40
Summary
Moderate: kernel security update
Details
The kernel packages contain the Linux kernel, the core of any Linux operating system.
Security Fix(es):
- kernel: NFS: Fix filehandle bounds checking in nfs_fh_to_dentry() (CVE-2025-39730)
- kernel: tcp: Clear tcp_sk(sk)->fastopen_rsk in tcp_disconnect() (CVE-2025-39955)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
References
{
"affected": [
{
"package": {
"ecosystem": "AlmaLinux:10",
"name": "kernel-abi-stablelists"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "6.12.0-124.13.1.el10_1"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:10",
"name": "kernel-doc"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "6.12.0-124.13.1.el10_1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"details": "The kernel packages contain the Linux kernel, the core of any Linux operating system. \n\nSecurity Fix(es): \n\n * kernel: NFS: Fix filehandle bounds checking in nfs_fh_to_dentry() (CVE-2025-39730)\n * kernel: tcp: Clear tcp_sk(sk)-\u003efastopen_rsk in tcp_disconnect() (CVE-2025-39955)\n\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.\n",
"id": "ALSA-2025:21931",
"modified": "2025-12-05T08:40:10Z",
"published": "2025-11-24T00:00:00Z",
"references": [
{
"type": "ADVISORY",
"url": "https://access.redhat.com/errata/RHSA-2025:21931"
},
{
"type": "REPORT",
"url": "https://access.redhat.com/security/cve/CVE-2025-39730"
},
{
"type": "REPORT",
"url": "https://access.redhat.com/security/cve/CVE-2025-39955"
},
{
"type": "REPORT",
"url": "https://bugzilla.redhat.com/2393731"
},
{
"type": "REPORT",
"url": "https://bugzilla.redhat.com/2402699"
},
{
"type": "ADVISORY",
"url": "https://errata.almalinux.org/10/ALSA-2025-21931.html"
}
],
"related": [
"CVE-2025-39730",
"CVE-2025-39955"
],
"summary": "Moderate: kernel security update"
}
CVE-2025-39730 (GCVE-0-2025-39730)
Vulnerability from cvelistv5 – Published: 2025-09-07 15:16 – Updated: 2026-05-11 21:35
VLAI
EPSS
Title
NFS: Fix filehandle bounds checking in nfs_fh_to_dentry()
Summary
In the Linux kernel, the following vulnerability has been resolved:
NFS: Fix filehandle bounds checking in nfs_fh_to_dentry()
The function needs to check the minimal filehandle length before it can
access the embedded filehandle.
Severity
No CVSS data available.
Assigner
References
11 references
| URL | Tags |
|---|---|
| https://git.kernel.org/stable/c/7f8eca87fef7519e9… | |
| https://git.kernel.org/stable/c/cb09afa0948d96b1e… | |
| https://git.kernel.org/stable/c/3570ef5c31314c132… | |
| https://git.kernel.org/stable/c/763810bb883cb4de4… | |
| https://git.kernel.org/stable/c/12ad3def2e5e0b120… | |
| https://git.kernel.org/stable/c/2ad40b7992aa26bc6… | |
| https://git.kernel.org/stable/c/b7f7866932466332a… | |
| https://git.kernel.org/stable/c/7dd36f7477d1e03a1… | |
| https://git.kernel.org/stable/c/ef93a685e01a281b5… | |
| https://lists.debian.org/debian-lts-announce/2025… | |
| https://lists.debian.org/debian-lts-announce/2025… |
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
20fa19027286983ab2734b5910c4a687436e0c31 , < 7f8eca87fef7519e9c41f3258f25ebc2752247ee
(git)
Affected: 20fa19027286983ab2734b5910c4a687436e0c31 , < cb09afa0948d96b1e385d609ed044bb1aa043536 (git) Affected: 20fa19027286983ab2734b5910c4a687436e0c31 , < 3570ef5c31314c13274c935a20b91768ab5bf412 (git) Affected: 20fa19027286983ab2734b5910c4a687436e0c31 , < 763810bb883cb4de412a72f338d80947d97df67b (git) Affected: 20fa19027286983ab2734b5910c4a687436e0c31 , < 12ad3def2e5e0b120e3d0cb6ce8b7b796819ad40 (git) Affected: 20fa19027286983ab2734b5910c4a687436e0c31 , < 2ad40b7992aa26bc631afc1a995b0e3ddc30de3f (git) Affected: 20fa19027286983ab2734b5910c4a687436e0c31 , < b7f7866932466332a2528fda099000b035303485 (git) Affected: 20fa19027286983ab2734b5910c4a687436e0c31 , < 7dd36f7477d1e03a1fcf8d13531ca326c4fb599f (git) Affected: 20fa19027286983ab2734b5910c4a687436e0c31 , < ef93a685e01a281b5e2a25ce4e3428cf9371a205 (git) |
|
| Linux | Linux |
Affected:
4.13
Unaffected: 0 , < 4.13 (semver) Unaffected: 5.4.297 , ≤ 5.4.* (semver) Unaffected: 5.10.241 , ≤ 5.10.* (semver) Unaffected: 5.15.190 , ≤ 5.15.* (semver) Unaffected: 6.1.148 , ≤ 6.1.* (semver) Unaffected: 6.6.102 , ≤ 6.6.* (semver) Unaffected: 6.12.42 , ≤ 6.12.* (semver) Unaffected: 6.15.10 , ≤ 6.15.* (semver) Unaffected: 6.16.1 , ≤ 6.16.* (semver) Unaffected: 6.17 , ≤ * (original_commit_for_fix) |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T17:42:48.789Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/nfs/export.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "7f8eca87fef7519e9c41f3258f25ebc2752247ee",
"status": "affected",
"version": "20fa19027286983ab2734b5910c4a687436e0c31",
"versionType": "git"
},
{
"lessThan": "cb09afa0948d96b1e385d609ed044bb1aa043536",
"status": "affected",
"version": "20fa19027286983ab2734b5910c4a687436e0c31",
"versionType": "git"
},
{
"lessThan": "3570ef5c31314c13274c935a20b91768ab5bf412",
"status": "affected",
"version": "20fa19027286983ab2734b5910c4a687436e0c31",
"versionType": "git"
},
{
"lessThan": "763810bb883cb4de412a72f338d80947d97df67b",
"status": "affected",
"version": "20fa19027286983ab2734b5910c4a687436e0c31",
"versionType": "git"
},
{
"lessThan": "12ad3def2e5e0b120e3d0cb6ce8b7b796819ad40",
"status": "affected",
"version": "20fa19027286983ab2734b5910c4a687436e0c31",
"versionType": "git"
},
{
"lessThan": "2ad40b7992aa26bc631afc1a995b0e3ddc30de3f",
"status": "affected",
"version": "20fa19027286983ab2734b5910c4a687436e0c31",
"versionType": "git"
},
{
"lessThan": "b7f7866932466332a2528fda099000b035303485",
"status": "affected",
"version": "20fa19027286983ab2734b5910c4a687436e0c31",
"versionType": "git"
},
{
"lessThan": "7dd36f7477d1e03a1fcf8d13531ca326c4fb599f",
"status": "affected",
"version": "20fa19027286983ab2734b5910c4a687436e0c31",
"versionType": "git"
},
{
"lessThan": "ef93a685e01a281b5e2a25ce4e3428cf9371a205",
"status": "affected",
"version": "20fa19027286983ab2734b5910c4a687436e0c31",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/nfs/export.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.13"
},
{
"lessThan": "4.13",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.297",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.241",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.190",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.148",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.102",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.42",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.15.*",
"status": "unaffected",
"version": "6.15.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.1",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.297",
"versionStartIncluding": "4.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.241",
"versionStartIncluding": "4.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.190",
"versionStartIncluding": "4.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.148",
"versionStartIncluding": "4.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.102",
"versionStartIncluding": "4.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.42",
"versionStartIncluding": "4.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.15.10",
"versionStartIncluding": "4.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.1",
"versionStartIncluding": "4.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "4.13",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nNFS: Fix filehandle bounds checking in nfs_fh_to_dentry()\n\nThe function needs to check the minimal filehandle length before it can\naccess the embedded filehandle."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T21:35:09.757Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/7f8eca87fef7519e9c41f3258f25ebc2752247ee"
},
{
"url": "https://git.kernel.org/stable/c/cb09afa0948d96b1e385d609ed044bb1aa043536"
},
{
"url": "https://git.kernel.org/stable/c/3570ef5c31314c13274c935a20b91768ab5bf412"
},
{
"url": "https://git.kernel.org/stable/c/763810bb883cb4de412a72f338d80947d97df67b"
},
{
"url": "https://git.kernel.org/stable/c/12ad3def2e5e0b120e3d0cb6ce8b7b796819ad40"
},
{
"url": "https://git.kernel.org/stable/c/2ad40b7992aa26bc631afc1a995b0e3ddc30de3f"
},
{
"url": "https://git.kernel.org/stable/c/b7f7866932466332a2528fda099000b035303485"
},
{
"url": "https://git.kernel.org/stable/c/7dd36f7477d1e03a1fcf8d13531ca326c4fb599f"
},
{
"url": "https://git.kernel.org/stable/c/ef93a685e01a281b5e2a25ce4e3428cf9371a205"
}
],
"title": "NFS: Fix filehandle bounds checking in nfs_fh_to_dentry()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-39730",
"datePublished": "2025-09-07T15:16:19.377Z",
"dateReserved": "2025-04-16T07:20:57.118Z",
"dateUpdated": "2026-05-11T21:35:09.757Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-39955 (GCVE-0-2025-39955)
Vulnerability from cvelistv5 – Published: 2025-10-09 09:47 – Updated: 2026-05-11 21:39
VLAI
EPSS
Title
tcp: Clear tcp_sk(sk)->fastopen_rsk in tcp_disconnect().
Summary
In the Linux kernel, the following vulnerability has been resolved:
tcp: Clear tcp_sk(sk)->fastopen_rsk in tcp_disconnect().
syzbot reported the splat below where a socket had tcp_sk(sk)->fastopen_rsk
in the TCP_ESTABLISHED state. [0]
syzbot reused the server-side TCP Fast Open socket as a new client before
the TFO socket completes 3WHS:
1. accept()
2. connect(AF_UNSPEC)
3. connect() to another destination
As of accept(), sk->sk_state is TCP_SYN_RECV, and tcp_disconnect() changes
it to TCP_CLOSE and makes connect() possible, which restarts timers.
Since tcp_disconnect() forgot to clear tcp_sk(sk)->fastopen_rsk, the
retransmit timer triggered the warning and the intended packet was not
retransmitted.
Let's call reqsk_fastopen_remove() in tcp_disconnect().
[0]:
WARNING: CPU: 2 PID: 0 at net/ipv4/tcp_timer.c:542 tcp_retransmit_timer (net/ipv4/tcp_timer.c:542 (discriminator 7))
Modules linked in:
CPU: 2 UID: 0 PID: 0 Comm: swapper/2 Not tainted 6.17.0-rc5-g201825fb4278 #62 PREEMPT(voluntary)
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
RIP: 0010:tcp_retransmit_timer (net/ipv4/tcp_timer.c:542 (discriminator 7))
Code: 41 55 41 54 55 53 48 8b af b8 08 00 00 48 89 fb 48 85 ed 0f 84 55 01 00 00 0f b6 47 12 3c 03 74 0c 0f b6 47 12 3c 04 74 04 90 <0f> 0b 90 48 8b 85 c0 00 00 00 48 89 ef 48 8b 40 30 e8 6a 4f 06 3e
RSP: 0018:ffffc900002f8d40 EFLAGS: 00010293
RAX: 0000000000000002 RBX: ffff888106911400 RCX: 0000000000000017
RDX: 0000000002517619 RSI: ffffffff83764080 RDI: ffff888106911400
RBP: ffff888106d5c000 R08: 0000000000000001 R09: ffffc900002f8de8
R10: 00000000000000c2 R11: ffffc900002f8ff8 R12: ffff888106911540
R13: ffff888106911480 R14: ffff888106911840 R15: ffffc900002f8de0
FS: 0000000000000000(0000) GS:ffff88907b768000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f8044d69d90 CR3: 0000000002c30003 CR4: 0000000000370ef0
Call Trace:
<IRQ>
tcp_write_timer (net/ipv4/tcp_timer.c:738)
call_timer_fn (kernel/time/timer.c:1747)
__run_timers (kernel/time/timer.c:1799 kernel/time/timer.c:2372)
timer_expire_remote (kernel/time/timer.c:2385 kernel/time/timer.c:2376 kernel/time/timer.c:2135)
tmigr_handle_remote_up (kernel/time/timer_migration.c:944 kernel/time/timer_migration.c:1035)
__walk_groups.isra.0 (kernel/time/timer_migration.c:533 (discriminator 1))
tmigr_handle_remote (kernel/time/timer_migration.c:1096)
handle_softirqs (./arch/x86/include/asm/jump_label.h:36 ./include/trace/events/irq.h:142 kernel/softirq.c:580)
irq_exit_rcu (kernel/softirq.c:614 kernel/softirq.c:453 kernel/softirq.c:680 kernel/softirq.c:696)
sysvec_apic_timer_interrupt (arch/x86/kernel/apic/apic.c:1050 (discriminator 35) arch/x86/kernel/apic/apic.c:1050 (discriminator 35))
</IRQ>
Severity
No CVSS data available.
Assigner
References
8 references
| URL | Tags |
|---|---|
| https://git.kernel.org/stable/c/7ec092a91ff351dcd… | |
| https://git.kernel.org/stable/c/a4378dedd6e07e62f… | |
| https://git.kernel.org/stable/c/33a4fdf0b4a25f8ce… | |
| https://git.kernel.org/stable/c/17d69972757781419… | |
| https://git.kernel.org/stable/c/dfd06131107e7b699… | |
| https://git.kernel.org/stable/c/fa4749c065644af4d… | |
| https://git.kernel.org/stable/c/ae313d14b45eca7a6… | |
| https://git.kernel.org/stable/c/45c8a6cc2bcd780e6… |
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
8336886f786fdacbc19b719c1f7ea91eb70706d4 , < 7ec092a91ff351dcde89c23e795b73a328274db6
(git)
Affected: 8336886f786fdacbc19b719c1f7ea91eb70706d4 , < a4378dedd6e07e62f2fccb17d78c9665718763d0 (git) Affected: 8336886f786fdacbc19b719c1f7ea91eb70706d4 , < 33a4fdf0b4a25f8ce65380c3b0136b407ca57609 (git) Affected: 8336886f786fdacbc19b719c1f7ea91eb70706d4 , < 17d699727577814198d744d6afe54735c6b54c99 (git) Affected: 8336886f786fdacbc19b719c1f7ea91eb70706d4 , < dfd06131107e7b699ef1e2a24ed2f7d17c917753 (git) Affected: 8336886f786fdacbc19b719c1f7ea91eb70706d4 , < fa4749c065644af4db496b338452a69a3e5147d9 (git) Affected: 8336886f786fdacbc19b719c1f7ea91eb70706d4 , < ae313d14b45eca7a6bb29cb9bf396d977e7d28fb (git) Affected: 8336886f786fdacbc19b719c1f7ea91eb70706d4 , < 45c8a6cc2bcd780e634a6ba8e46bffbdf1fc5c01 (git) |
|
| Linux | Linux |
Affected:
3.7
Unaffected: 0 , < 3.7 (semver) Unaffected: 5.4.300 , ≤ 5.4.* (semver) Unaffected: 5.10.245 , ≤ 5.10.* (semver) Unaffected: 5.15.194 , ≤ 5.15.* (semver) Unaffected: 6.1.154 , ≤ 6.1.* (semver) Unaffected: 6.6.108 , ≤ 6.6.* (semver) Unaffected: 6.12.49 , ≤ 6.12.* (semver) Unaffected: 6.16.9 , ≤ 6.16.* (semver) Unaffected: 6.17 , ≤ * (original_commit_for_fix) |
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/ipv4/tcp.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "7ec092a91ff351dcde89c23e795b73a328274db6",
"status": "affected",
"version": "8336886f786fdacbc19b719c1f7ea91eb70706d4",
"versionType": "git"
},
{
"lessThan": "a4378dedd6e07e62f2fccb17d78c9665718763d0",
"status": "affected",
"version": "8336886f786fdacbc19b719c1f7ea91eb70706d4",
"versionType": "git"
},
{
"lessThan": "33a4fdf0b4a25f8ce65380c3b0136b407ca57609",
"status": "affected",
"version": "8336886f786fdacbc19b719c1f7ea91eb70706d4",
"versionType": "git"
},
{
"lessThan": "17d699727577814198d744d6afe54735c6b54c99",
"status": "affected",
"version": "8336886f786fdacbc19b719c1f7ea91eb70706d4",
"versionType": "git"
},
{
"lessThan": "dfd06131107e7b699ef1e2a24ed2f7d17c917753",
"status": "affected",
"version": "8336886f786fdacbc19b719c1f7ea91eb70706d4",
"versionType": "git"
},
{
"lessThan": "fa4749c065644af4db496b338452a69a3e5147d9",
"status": "affected",
"version": "8336886f786fdacbc19b719c1f7ea91eb70706d4",
"versionType": "git"
},
{
"lessThan": "ae313d14b45eca7a6bb29cb9bf396d977e7d28fb",
"status": "affected",
"version": "8336886f786fdacbc19b719c1f7ea91eb70706d4",
"versionType": "git"
},
{
"lessThan": "45c8a6cc2bcd780e634a6ba8e46bffbdf1fc5c01",
"status": "affected",
"version": "8336886f786fdacbc19b719c1f7ea91eb70706d4",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/ipv4/tcp.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.7"
},
{
"lessThan": "3.7",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.300",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.245",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.194",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.154",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.108",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.49",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.9",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.300",
"versionStartIncluding": "3.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.245",
"versionStartIncluding": "3.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.194",
"versionStartIncluding": "3.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.154",
"versionStartIncluding": "3.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.108",
"versionStartIncluding": "3.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.49",
"versionStartIncluding": "3.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.9",
"versionStartIncluding": "3.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "3.7",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ntcp: Clear tcp_sk(sk)-\u003efastopen_rsk in tcp_disconnect().\n\nsyzbot reported the splat below where a socket had tcp_sk(sk)-\u003efastopen_rsk\nin the TCP_ESTABLISHED state. [0]\n\nsyzbot reused the server-side TCP Fast Open socket as a new client before\nthe TFO socket completes 3WHS:\n\n 1. accept()\n 2. connect(AF_UNSPEC)\n 3. connect() to another destination\n\nAs of accept(), sk-\u003esk_state is TCP_SYN_RECV, and tcp_disconnect() changes\nit to TCP_CLOSE and makes connect() possible, which restarts timers.\n\nSince tcp_disconnect() forgot to clear tcp_sk(sk)-\u003efastopen_rsk, the\nretransmit timer triggered the warning and the intended packet was not\nretransmitted.\n\nLet\u0027s call reqsk_fastopen_remove() in tcp_disconnect().\n\n[0]:\nWARNING: CPU: 2 PID: 0 at net/ipv4/tcp_timer.c:542 tcp_retransmit_timer (net/ipv4/tcp_timer.c:542 (discriminator 7))\nModules linked in:\nCPU: 2 UID: 0 PID: 0 Comm: swapper/2 Not tainted 6.17.0-rc5-g201825fb4278 #62 PREEMPT(voluntary)\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014\nRIP: 0010:tcp_retransmit_timer (net/ipv4/tcp_timer.c:542 (discriminator 7))\nCode: 41 55 41 54 55 53 48 8b af b8 08 00 00 48 89 fb 48 85 ed 0f 84 55 01 00 00 0f b6 47 12 3c 03 74 0c 0f b6 47 12 3c 04 74 04 90 \u003c0f\u003e 0b 90 48 8b 85 c0 00 00 00 48 89 ef 48 8b 40 30 e8 6a 4f 06 3e\nRSP: 0018:ffffc900002f8d40 EFLAGS: 00010293\nRAX: 0000000000000002 RBX: ffff888106911400 RCX: 0000000000000017\nRDX: 0000000002517619 RSI: ffffffff83764080 RDI: ffff888106911400\nRBP: ffff888106d5c000 R08: 0000000000000001 R09: ffffc900002f8de8\nR10: 00000000000000c2 R11: ffffc900002f8ff8 R12: ffff888106911540\nR13: ffff888106911480 R14: ffff888106911840 R15: ffffc900002f8de0\nFS: 0000000000000000(0000) GS:ffff88907b768000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00007f8044d69d90 CR3: 0000000002c30003 CR4: 0000000000370ef0\nCall Trace:\n \u003cIRQ\u003e\n tcp_write_timer (net/ipv4/tcp_timer.c:738)\n call_timer_fn (kernel/time/timer.c:1747)\n __run_timers (kernel/time/timer.c:1799 kernel/time/timer.c:2372)\n timer_expire_remote (kernel/time/timer.c:2385 kernel/time/timer.c:2376 kernel/time/timer.c:2135)\n tmigr_handle_remote_up (kernel/time/timer_migration.c:944 kernel/time/timer_migration.c:1035)\n __walk_groups.isra.0 (kernel/time/timer_migration.c:533 (discriminator 1))\n tmigr_handle_remote (kernel/time/timer_migration.c:1096)\n handle_softirqs (./arch/x86/include/asm/jump_label.h:36 ./include/trace/events/irq.h:142 kernel/softirq.c:580)\n irq_exit_rcu (kernel/softirq.c:614 kernel/softirq.c:453 kernel/softirq.c:680 kernel/softirq.c:696)\n sysvec_apic_timer_interrupt (arch/x86/kernel/apic/apic.c:1050 (discriminator 35) arch/x86/kernel/apic/apic.c:1050 (discriminator 35))\n \u003c/IRQ\u003e"
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T21:39:39.433Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/7ec092a91ff351dcde89c23e795b73a328274db6"
},
{
"url": "https://git.kernel.org/stable/c/a4378dedd6e07e62f2fccb17d78c9665718763d0"
},
{
"url": "https://git.kernel.org/stable/c/33a4fdf0b4a25f8ce65380c3b0136b407ca57609"
},
{
"url": "https://git.kernel.org/stable/c/17d699727577814198d744d6afe54735c6b54c99"
},
{
"url": "https://git.kernel.org/stable/c/dfd06131107e7b699ef1e2a24ed2f7d17c917753"
},
{
"url": "https://git.kernel.org/stable/c/fa4749c065644af4db496b338452a69a3e5147d9"
},
{
"url": "https://git.kernel.org/stable/c/ae313d14b45eca7a6bb29cb9bf396d977e7d28fb"
},
{
"url": "https://git.kernel.org/stable/c/45c8a6cc2bcd780e634a6ba8e46bffbdf1fc5c01"
}
],
"title": "tcp: Clear tcp_sk(sk)-\u003efastopen_rsk in tcp_disconnect().",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-39955",
"datePublished": "2025-10-09T09:47:33.556Z",
"dateReserved": "2025-04-16T07:20:57.149Z",
"dateUpdated": "2026-05-11T21:39:39.433Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
Loading…
Trend slope:
-
(linear fit over daily sighting counts)
Show additional events:
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…