PT-2025-18397 · Linux+5 · Linux Kernel+5
Published
2025-04-09
·
Updated
2026-05-07
·
CVE-2025-23143
CVSS v3.1
5.5
Medium
| Vector | AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H |
Name of the Vulnerable Software and Affected Versions
Linux kernel versions prior to the fixed version
Description
A null pointer dereference issue has been identified in the Linux kernel. The problem occurs when the CIFS module is unloaded while a TCP socket is still alive, causing a discrepancy between the lifetime of the CIFS module and the underlying TCP socket. This issue is triggered when the
sock lock init class and name() function is called, and the module is unloaded before the socket is freed. The estimated number of potentially affected devices is not provided.Technical details about exploitation include:
- The
sock lock init class and name()function assigns a different lock class to the TCP socket'ssk->sk lock. - The
check wait context()function checks the lock context, andhlock class()is called to retrieve the lock class. - If the module has already been unloaded,
hlock class()logs a warning and returns NULL, triggering the null pointer dereference.
Recommendations
To resolve this issue, update the Linux kernel to a version that includes the fix for the null pointer dereference issue.
As a temporary workaround, consider avoiding the unloading of the CIFS module while a TCP socket is still alive.
Restrict access to the
sock lock init class and name() function to minimize the risk of exploitation.
Avoid using the rmmod command to unload the CIFS module while a TCP socket is still in the FIN WAIT 1 state.Exploit
Fix
NULL Pointer Dereference
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Astra Linux
Debian
Linuxmint
Linux Kernel
Red Os
Ubuntu