CVE-2025-39965

Published Oct 13, 2025

Last updated 21 days ago

CVSS high 7.8
Linux Kernel

Overview

AI description

Automated description summarized from trusted sources.

CVE-2025-39965 is a use-after-free (UAF) vulnerability in the Linux kernel's XFRM subsystem, which is responsible for implementing the IPsec protocol. The vulnerability stems from the `xfrm_alloc_spi` function in the `net/xfrm/xfrm_state.c` file. This function, which is called via the `XFRM_MSG_ALLOCSPI` Netlink message from user space, is responsible for allocating SPIs (Security Parameter Indexes). A recent commit modified the allocation logic to prevent SPI duplication. However, the `get_random_u32_inclusive` function can return 0, which isn't checked by `xfrm_alloc_spi`. As a result, an `xfrm_state` object can be allocated with an SPI value of 0 and added to the `byspi` global list. Since SPI=0 typically signifies that no SPI is assigned, the `__xfrm_state_delete` function doesn't remove such objects from the `byspi` list when cleaning up. This leaves a dangling pointer in the `byspi` list, leading to a use-after-free condition when the memory is accessed again.

Description
In the Linux kernel, the following vulnerability has been resolved: xfrm: xfrm_alloc_spi shouldn't use 0 as SPI x->id.spi == 0 means "no SPI assigned", but since commit 94f39804d891 ("xfrm: Duplicate SPI Handling"), we now create states and add them to the byspi list with this value. __xfrm_state_delete doesn't remove those states from the byspi list, since they shouldn't be there, and this shows up as a UAF the next time we go through the byspi list.
Source
416baaa9-dc9f-4396-8d5f-8c081fb06d67
NVD status
Analyzed
Products
linux_kernel

Risk scores

CVSS 3.1

Type
Primary
Base score
7.8
Impact score
5.9
Exploitability score
1.8
Vector string
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Severity
HIGH

Weaknesses

nvd@nist.gov
NVD-CWE-noinfo

Social media

Hype score
Not currently trending

  1. Analysis of a Use-After-Free in the Linux XFRM subsystem (CVE-2025-39965) by @streypaws https://t.co/ZWOVtBV6Jg #infosec #Linux https://t.co/ecRglI9kF2

    @0xor0ne

    1 Jan 2026

    5921 Impressions

    15 Retweets

    100 Likes

    55 Bookmarks

    0 Replies

    0 Quotes

  2. CVE-2025-39965: UAF in Linux Kernel XFRM https://t.co/i8R2Frasny A July fix for duplicate SPI allocation introduced a UAF vulnerability in the IPsec XFRM subsystem:

    @hackyboiz

    26 Oct 2025

    4367 Impressions

    10 Retweets

    47 Likes

    19 Bookmarks

    0 Replies

    1 Quote

  3. I analysed a recent KernelCTF 1-Day (CVE-2025-39965) which is a UaF in Linux XFRM subsystem, including the XFRM internals, the patch-fix, vulnerability analysis, along with a trigger PoC. Enjoy! Blog: https://t.co/IhfKiGAmkZ PoC: https://t.co/EHtvcD9gNn

    @streypaws

    19 Oct 2025

    6702 Impressions

    24 Retweets

    102 Likes

    42 Bookmarks

    0 Replies

    0 Quotes

  4. CVE-2025-39965 In the Linux kernel, the following vulnerability has been resolved: xfrm: xfrm_alloc_spi shouldn't use 0 as SPI x->id.spi == 0 means "no SPI assigned", but since co… https://t.co/KNoufAyiRm

    @CVEnew

    13 Oct 2025

    367 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

Configurations

References

Sources include official advisories and independent security research.