Security Vulnerability Report
中文
CVE-2025-39962 CVSS 7.8 HIGH

CVE-2025-39962

Published: 2025-10-09 13:15:32
Last Modified: 2026-02-26 23:03:54
Source: 416baaa9-dc9f-4396-8d5f-8c081fb06d67

Description

In the Linux kernel, the following vulnerability has been resolved: rxrpc: Fix untrusted unsigned subtract Fix the following Smatch static checker warning: net/rxrpc/rxgk_app.c:65 rxgk_yfs_decode_ticket() warn: untrusted unsigned subtract. 'ticket_len - 10 * 4' by prechecking the length of what we're trying to extract in two places in the token and decoding for a response packet. Also use sizeof() on the struct we're extracting rather specifying the size numerically to be consistent with the other related statements.

CVSS Details

CVSS Score
7.8
Severity
HIGH
CVSS Vector
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:o:linux:linux_kernel:6.17:rc1:*:*:*:*:*:* - VULNERABLE
cpe:2.3:o:linux:linux_kernel:6.17:rc2:*:*:*:*:*:* - VULNERABLE
cpe:2.3:o:linux:linux_kernel:6.17:rc3:*:*:*:*:*:* - VULNERABLE
cpe:2.3:o:linux:linux_kernel:6.17:rc4:*:*:*:*:*:* - VULNERABLE
Linux Kernel < 6.17 (含rxrpc子系统的所有受影响版本)

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
// PoC for CVE-2025-39962 - Linux kernel rxrpc unsigned integer underflow // This PoC demonstrates the vulnerability concept by sending a malformed // RXGK ticket with insufficient length to trigger the integer underflow. #include <stdio.h> #include <stdlib.h> #include <string.h> #include <sys/socket.h> #include <linux/af_rxrpc.h> // Simulated vulnerable function logic from net/rxrpc/rxgk_app.c void vulnerable_decode_ticket(unsigned int ticket_len, unsigned char *ticket_data) { // VULNERABLE: untrusted unsigned subtract // If ticket_len < 40 (10*4), this wraps around to a huge value unsigned int data_len = ticket_len - 10 * 4; printf("ticket_len=%u, calculated data_len=%u\n", ticket_len, data_len); // This would lead to out-of-bounds access if (data_len > 0) { printf("Attempting to read %u bytes - potential OOB!\n", data_len); // memcpy/memmove with underflowed length would cause kernel panic } } int main() { // Craft a ticket with length less than 40 to trigger underflow unsigned int malicious_len = 20; // Less than 10*4 = 40 unsigned char ticket[64] = {0}; printf("Triggering CVE-2025-39962 PoC...\n"); vulnerable_decode_ticket(malicious_len, ticket); // In real scenario, send this via AF_RXRPC socket to trigger kernel path printf("PoC completed - underflow demonstrated\n"); return 0; }

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2025-39962", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2025-10-09T13:15:32.390", "lastModified": "2026-02-26T23:03:53.710", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nrxrpc: Fix untrusted unsigned subtract\n\nFix the following Smatch static checker warning:\n\n net/rxrpc/rxgk_app.c:65 rxgk_yfs_decode_ticket()\n warn: untrusted unsigned subtract. 'ticket_len - 10 * 4'\n\nby prechecking the length of what we're trying to extract in two places in\nthe token and decoding for a response packet.\n\nAlso use sizeof() on the struct we're extracting rather specifying the size\nnumerically to be consistent with the other related statements."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.8, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-787"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.16", "versionEndExcluding": "6.16.9", "matchCriteriaId": "A29694A5-4AF1-4C6F-8828-187FA35BAC01"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:6.17:rc1:*:*:*:*:*:*", "matchCriteriaId": "327D22EF-390B-454C-BD31-2ED23C998A1C"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:6.17:rc2:*:*:*:*:*:*", "matchCriteriaId": "C730CD9A-D969-4A8E-9522-162AAF7C0EE9"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:6.17:rc3:*:*:*:*:*:*", "matchCriteriaId": "39982C4B-716E-4B2F-8196-FA301F47807D"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:6.17:rc4:*:*:*:*:*:*", "matchCriteriaId": "340BEEA9-D70D-4290-B502-FBB1032353B1"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:6.17:rc5:*:*:*:*:*:*", "matchCriteriaId": "47E4C5C0-079F-4838-971B-8C503D48FCC2"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:6.17:rc6:*:*:*:*:*:*", "matchCriteriaId": "5A4516A6-C12E-42A4-8C0E-68AEF3264504"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/2429a197648178cd4dc930a9d87c13c547460564", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/71571e187106631a8127f2dde780f35caa358d33", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.