NULL Pointer Dereference Vulnerability in Linux Kernel TCP-AO Feature
CVE-2025-39950

Currently unrated

Key Information:

Vendor: Linux
Status: Linux
Vendor: CVE Published:; 4 October 2025

What is CVE-2025-39950?

A vulnerability in the Linux kernel's TCP-AO implementation allows for a NULL pointer dereference during the connect() system call on sockets that have the TCP-AO key added and TCP_REPAIR enabled. If an invalid state occurs, the function tcp_ao_finish_connect can attempt to dereference a NULL pointer, leading to unexpected behavior and potential kernel crashes. The proposed fix ensures that before dereferencing the skb variable, a validation check is performed to prevent this fault. This issue emphasizes the necessity for robust error handling within kernel networking code.

Affected Version(s)

Linux 7c2ffaf21bd67f73d21560995ce17eaf5fc1d37f < 5f445eb259906b61a518487a790e11d07d31738c

Linux 7c2ffaf21bd67f73d21560995ce17eaf5fc1d37f < 993b734d31ab804747ac961b1ee664b023c3b5fa

Linux 7c2ffaf21bd67f73d21560995ce17eaf5fc1d37f < 2e7bba08923ebc675b1f0e0e0959e68e53047838

References

https://git.kernel.org/stable/c/5f445eb259906b61a518487a7...

https://git.kernel.org/stable/c/993b734d31ab804747ac961b1...

https://git.kernel.org/stable/c/2e7bba08923ebc675b1f0e0e0...

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Oct 4, 2025
Vulnerability Reserved
Apr 16, 2025

JSON