CVE-2025-40139

Published: Nov 12, 2025

Modified: May 11, 2026

PUBLISHED

Description

In the Linux kernel, the following vulnerability has been resolved: smc: Use __sk_dst_get() and dst_dev_rcu() in in smc_clc_prfx_set(). smc_clc_prfx_set() is called during connect() and not under RCU nor RTNL. Using sk_dst_get(sk)->dev could trigger UAF. Let's use __sk_dst_get() and dev_dst_rcu() under rcu_read_lock() after kernel_getsockname(). Note that the returned value of smc_clc_prfx_set() is not used in the caller. While at it, we change the 1st arg of smc_clc_prfx_set[46]_rcu() not to touch dst there.

Vendor	Product	Versions
Linux	Linux	affected `a046d57da19f812216f393e7c535f5858f793ac3 - < 0736993bfe5c7a9c744ae3fac62d769dfdae54e1` affected `a046d57da19f812216f393e7c535f5858f793ac3 - < 935d783e5de9b64587f3adb25641dd8385e64ddb`
Linux	Linux	affected `4.11` unaffected `0 - < 4.11` unaffected `6.17.3 - <= 6.17.` unaffected `6.18 - <= `

References

https://git.kernel.org/stable/c/0736993bfe5c7a9c744ae3fac62d769dfdae54e1

https://git.kernel.org/stable/c/935d783e5de9b64587f3adb25641dd8385e64ddb

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now

CVE-2025-40139

Description

Affected Products

References