CVE-2025-38236

Published Jul 8, 2025

Last updated 3 months ago

Linux Kernel

Overview

AI description

Automated description summarized from trusted sources.

CVE-2025-38236 is a use-after-free vulnerability in the Linux kernel's AF_UNIX sockets implementation, specifically within the `unixstreamreadgeneric()` function. The flaw occurs when handling consecutive consumed Out-Of-Band (OOB) sk\_buffs (skbs) in AFUNIX sockets. This arises when a user reads OOB data, and the skb holding the data remains on the receive queue to mark the OOB boundary. The vulnerability can be triggered by sending and receiving a crafted sequence of OOB socket messages. Exploitation could lead to memory corruption in the Linux kernel due to the use-after-free condition. A patch has been implemented to resolve this issue by modifying the handling of consecutive consumed OOB skbs, ensuring that consumed OOB skbs are properly freed.

Description
In the Linux kernel, the following vulnerability has been resolved: af_unix: Don't leave consecutive consumed OOB skbs. Jann Horn reported a use-after-free in unix_stream_read_generic(). The following sequences reproduce the issue: $ python3 from socket import * s1, s2 = socketpair(AF_UNIX, SOCK_STREAM) s1.send(b'x', MSG_OOB) s2.recv(1, MSG_OOB) # leave a consumed OOB skb s1.send(b'y', MSG_OOB) s2.recv(1, MSG_OOB) # leave a consumed OOB skb s1.send(b'z', MSG_OOB) s2.recv(1) # recv 'z' illegally s2.recv(1, MSG_OOB) # access 'z' skb (use-after-free) Even though a user reads OOB data, the skb holding the data stays on the recv queue to mark the OOB boundary and break the next recv(). After the last send() in the scenario above, the sk2's recv queue has 2 leading consumed OOB skbs and 1 real OOB skb. Then, the following happens during the next recv() without MSG_OOB 1. unix_stream_read_generic() peeks the first consumed OOB skb 2. manage_oob() returns the next consumed OOB skb 3. unix_stream_read_generic() fetches the next not-yet-consumed OOB skb 4. unix_stream_read_generic() reads and frees the OOB skb , and the last recv(MSG_OOB) triggers KASAN splat. The 3. above occurs because of the SO_PEEK_OFF code, which does not expect unix_skb_len(skb) to be 0, but this is true for such consumed OOB skbs. while (skip >= unix_skb_len(skb)) { skip -= unix_skb_len(skb); skb = skb_peek_next(skb, &sk->sk_receive_queue); ... } In addition to this use-after-free, there is another issue that ioctl(SIOCATMARK) does not function properly with consecutive consumed OOB skbs. So, nothing good comes out of such a situation. Instead of complicating manage_oob(), ioctl() handling, and the next ECONNRESET fix by introducing a loop for consecutive consumed OOB skbs, let's not leave such consecutive OOB unnecessarily. Now, while receiving an OOB skb in unix_stream_recv_urg(), if its previous skb is a consumed OOB skb, it is freed. [0]: BUG: KASAN: slab-use-after-free in unix_stream_read_actor (net/unix/af_unix.c:3027) Read of size 4 at addr ffff888106ef2904 by task python3/315 CPU: 2 UID: 0 PID: 315 Comm: python3 Not tainted 6.16.0-rc1-00407-gec315832f6f9 #8 PREEMPT(voluntary) Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-4.fc42 04/01/2014 Call Trace: <TASK> dump_stack_lvl (lib/dump_stack.c:122) print_report (mm/kasan/report.c:409 mm/kasan/report.c:521) kasan_report (mm/kasan/report.c:636) unix_stream_read_actor (net/unix/af_unix.c:3027) unix_stream_read_generic (net/unix/af_unix.c:2708 net/unix/af_unix.c:2847) unix_stream_recvmsg (net/unix/af_unix.c:3048) sock_recvmsg (net/socket.c:1063 (discriminator 20) net/socket.c:1085 (discriminator 20)) __sys_recvfrom (net/socket.c:2278) __x64_sys_recvfrom (net/socket.c:2291 (discriminator 1) net/socket.c:2287 (discriminator 1) net/socket.c:2287 (discriminator 1)) do_syscall_64 (arch/x86/entry/syscall_64.c:63 (discriminator 1) arch/x86/entry/syscall_64.c:94 (discriminator 1)) entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130) RIP: 0033:0x7f8911fcea06 Code: 5d e8 41 8b 93 08 03 00 00 59 5e 48 83 f8 fc 75 19 83 e2 39 83 fa 08 75 11 e8 26 ff ff ff 66 0f 1f 44 00 00 48 8b 45 10 0f 05 <48> 8b 5d f8 c9 c3 0f 1f 40 00 f3 0f 1e fa 55 48 89 e5 48 83 ec 08 RSP: 002b:00007fffdb0dccb0 EFLAGS: 00000202 ORIG_RAX: 000000000000002d RAX: ffffffffffffffda RBX: 00007fffdb0dcdc8 RCX: 00007f8911fcea06 RDX: 0000000000000001 RSI: 00007f8911a5e060 RDI: 0000000000000006 RBP: 00007fffdb0dccd0 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000001 R11: 0000000000000202 R12: 00007f89119a7d20 R13: ffffffffc4653600 R14: 0000000000000000 R15: 0000000000000000 </TASK> Allocated by task 315: kasan_save_stack (mm/kasan/common.c:48) kasan_save_track (mm/kasan/common.c:60 (discriminator 1) mm/kasan/common.c:69 (discriminator 1)) __kasan_slab_alloc (mm/kasan/common.c:348) kmem_cache_alloc_ ---truncated---
Source
416baaa9-dc9f-4396-8d5f-8c081fb06d67
NVD status
Awaiting Analysis

Social media

Hype score
Not currently trending

  1. Top 5 Trending CVEs: 1 - CVE-2025-38236 2 - CVE-2025-52970 3 - CVE-2025-3305 4 - CVE-2023-44487 5 - CVE-2025-54253 #cve #cvetrends #cveshield #cybersecurity https://t.co/4Fua3CAN6W

    @CVEShield

    25 Aug 2025

    19 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  2. From Chrome renderer code exec to kernel with MSG_OOB Jann Horn @tehjh posted an article about exploiting CVE-2025-38236, a UAF in the UNIX domain sockets: https://t.co/xRBYnLAU8X

    @linkersec

    23 Aug 2025

    4679 Impressions

    22 Retweets

    93 Likes

    35 Bookmarks

    1 Reply

    0 Quotes

  3. #exploit #Kernel_Security CVE-2025-38236: From Chrome renderer code exec to kernel with MSG_OOB https://t.co/A40lZvPyrY ]-&gt; PoC code - https://t.co/71sIbhRJAr // Chrome's Linux desktop renderer sandbox exposes kernel attack surface that is never legitimately used in the sandb

    @ksg93rd

    14 Aug 2025

    75 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  4. ⚠️Vulnerabilidad en el kernel de Linux ❗CVE-2025-38236 ➡️Más info: https://t.co/g0Vl2fukY3 https://t.co/JmlYjuo1mv

    @CERTpy

    12 Aug 2025

    91 Impressions

    0 Retweets

    1 Like

    0 Bookmarks

    0 Replies

    0 Quotes

  5. ⚠️ New Linux Kernel Vulnerability (CVE-2025-38236) Enables Privilege Escalation from Chrome Sandbox https://t.co/BXz6sUSmAz A critical bug in the Linux kernel’s UNIX socket MSG_OOB implementation allows attackers to escape the Chrome renderer sandbox and gain kernel-level

    @Huntio

    11 Aug 2025

    831 Impressions

    5 Retweets

    8 Likes

    0 Bookmarks

    0 Replies

    1 Quote

  6. A UAF flaw (CVE-2025-38236) in the Linux kernel allows for privilege escalation. A PoC exploit is now public, demonstrating how to escape the Chrome sandbox and gain kernel control. #LinuxKernel #CVE #UAF #Hacking #Cybersecurity https://t.co/9CvRZnJwWT

    @the_yellow_fall

    11 Aug 2025

    2133 Impressions

    9 Retweets

    36 Likes

    17 Bookmarks

    0 Replies

    0 Quotes

  7. A Linux Kernel flaw (CVE-2025-38236) enables full system compromise from secure browsers, while US ransomware attacks surge 150%, exploiting zero-day VPN flaws. #Linux #Ransomware #InfoSecAsk https://t.co/6LxMJfQlIQ

    @DailyDataDosee

    9 Aug 2025

    39 Impressions

    0 Retweets

    1 Like

    0 Bookmarks

    1 Reply

    0 Quotes

  8. CVE-2025-38236は、Linuxカーネル6.9以降に存在するUNIXドメインソケットの`MSG_OOB`機能に起因する重大なUAF(Use-After-Free)脆弱性で、ChromeのLinuxレンダラサンドボックス内からカーネル権限奪取が可能となる。

    @yousukezan

    9 Aug 2025

    1133 Impressions

    3 Retweets

    6 Likes

    2 Bookmarks

    0 Replies

    0 Quotes

  9. CVE-2025-38236 In the Linux kernel, the following vulnerability has been resolved: af_unix: Don't leave consecutive consumed OOB skbs. Jann Horn reported a use-after-free in unix_… https://t.co/nnGKyPg2jc

    @CVEnew

    8 Jul 2025

    114 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

References

Sources include official advisories and independent security research.