PT-2025-4321 · Linux+7 · Linux Kernel+7
Published
2025-01-08
·
Updated
2025-10-03
·
CVE-2025-21640
CVSS v3.1
5.5
Medium
| Vector | AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H |
Name of the Vulnerable Software and Affected Versions
Linux kernel versions prior to 6.6.74
Description
A vulnerability has been resolved in the Linux kernel, specifically in the sctp: sysctl: cookie hmac alg component. The issue arises from using the 'net' structure via 'current', which is not recommended due to inconsistency and potential null pointer dereferences. The 'net' structure can be obtained from the table->data using container of(). This vulnerability can result in an 'Oops' (null-ptr-deref) when the current task is exiting.
Recommendations
For Linux kernel versions prior to 6.6.74, update to version 6.6.74 or later to resolve the issue. As a temporary workaround, consider modifying the code to use table->data instead of current->nsproxy to obtain the 'net' structure, thereby avoiding potential null pointer dereferences.
Exploit
Fix
NULL Pointer Dereference
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Alt Linux
Astra Linux
Debian
Linuxmint
Linux Kernel
Red Os
Suse
Ubuntu