Null Dereference Vulnerability in Linux Kernel Affects SCTP Functionality
CVE-2025-40187
What is CVE-2025-40187?
A null dereference issue was identified in the Linux kernel's SCTP (Stream Control Transmission Protocol) implementation. This vulnerability occurs when certain conditions are met: specifically, if 'new_asoc->peer.adaptation_ind' is set to zero and 'sctp_ulpevent_make_authkey' also evaluates to zero, coupled with a return value of zero from 'sctp_ulpevent_make_authkey()', the associated event variable 'ai_ev' remains uninitialized. This oversight can lead to an attempt to dereference a zero pointer during the execution of the 'sctp_ulpevent_free()' function, potentially causing application crashes or unexpected behavior. Prompt application of security updates is essential to mitigate this risk.
Affected Version(s)
Linux 30f6ebf65bc46161c5aaff1db2e6e7c76aa4a06b < 1014b83778c8677f1d7a57c26dc728baa801ac62
Linux 30f6ebf65bc46161c5aaff1db2e6e7c76aa4a06b < 7f702f85df0266ed7b5bab81ba50394c92f3c928
Linux 30f6ebf65bc46161c5aaff1db2e6e7c76aa4a06b