CVE-2025-39950

CVSS v3.1

5.5

Medium

Vector

AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Name of the Vulnerable Software and Affected Versions Linux kernel (affected versions not specified)

Description A flaw exists in the Linux kernel related to a NULL pointer dereference within the tcp ao finish connect() function when TCP-AO is used in conjunction with TCP REPAIR. This issue can occur during a connect() system call on a socket with a TCP-AO key added and TCP REPAIR enabled. The function attempts to dereference a potentially NULL skb pointer without prior validation, leading to a crash. The vulnerability is triggered when the skb is NULL and the code attempts to access tcp hdr(skb)->seq. A proof-of-concept demonstrates the issue by setting up a socket with TCP-AO and TCP REPAIR enabled, then initiating a connection.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Exploit

NULL Pointer Dereference

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-476

Related Identifiers

BDU:2026-02685

CVE-2025-39950

OPENSUSE-SU-2025:20091-1

SUSE-SU-2025:21080-1

SUSE-SU-2025:21147-1

SUSE-SU-2025:21180-1

USN-8095-1

USN-8095-2

USN-8095-3

USN-8095-4

USN-8095-5

USN-8100-1

USN-8125-1

USN-8126-1

USN-8165-1

USN-8261-1

Affected Products

Linuxmint

Linux Kernel

Suse

Ubuntu

CVE-2025-39950

Weakness Enumeration

Related Identifiers

Affected Products

References · 1602