High severity7.8NVD Advisory· Published Jul 8, 2025· Updated May 12, 2026

CVE-2025-38236

Description

In the Linux kernel, the following vulnerability has been resolved:

af_unix: Don't leave consecutive consumed OOB skbs.

Jann Horn reported a use-after-free in unix_stream_read_generic().

The following sequences reproduce the issue:

$ python3 from socket import * s1, s2 = socketpair(AF_UNIX, SOCK_STREAM) s1.send(b'x', MSG_OOB) s2.recv(1, MSG_OOB) # leave a consumed OOB skb s1.send(b'y', MSG_OOB) s2.recv(1, MSG_OOB) # leave a consumed OOB skb s1.send(b'z', MSG_OOB) s2.recv(1) # recv 'z' illegally s2.recv(1, MSG_OOB) # access 'z' skb (use-after-free)

Even though a user reads OOB data, the skb holding the data stays on the recv queue to mark the OOB boundary and break the next recv().

After the last send() in the scenario above, the sk2's recv queue has 2 leading consumed OOB skbs and 1 real OOB skb.

Then, the following happens during the next recv() without MSG_OOB

unix_stream_read_generic() peeks the first consumed OOB skb
manage_oob() returns the next consumed OOB skb
unix_stream_read_generic() fetches the next not-yet-consumed OOB skb
unix_stream_read_generic() reads and frees the OOB skb

, and the last recv(MSG_OOB) triggers KASAN splat.

The 3. above occurs because of the SO_PEEK_OFF code, which does not expect unix_skb_len(skb) to be 0, but this is true for such consumed OOB skbs.

while (skip >= unix_skb_len(skb)) { skip -= unix_skb_len(skb); skb = skb_peek_next(skb, &sk->sk_receive_queue); ... }

In addition to this use-after-free, there is another issue that ioctl(SIOCATMARK) does not function properly with consecutive consumed OOB skbs.

So, nothing good comes out of such a situation.

Instead of complicating manage_oob(), ioctl() handling, and the next ECONNRESET fix by introducing a loop for consecutive consumed OOB skbs, let's not leave such consecutive OOB unnecessarily.

Now, while receiving an OOB skb in unix_stream_recv_urg(), if its previous skb is a consumed OOB skb, it is freed.

[0]: BUG: KASAN: slab-use-after-free in unix_stream_read_actor (net/unix/af_unix.c:3027) Read of size 4 at addr ffff888106ef2904 by task python3/315

CPU: 2 UID: 0 PID: 315 Comm: python3 Not tainted 6.16.0-rc1-00407-gec315832f6f9 #8 PREEMPT(voluntary) Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-4.fc42 04/01/2014 Call Trace:

dump_stack_lvl (lib/dump_stack.c:122) print_report (mm/kasan/report.c:409 mm/kasan/report.c:521) kasan_report (mm/kasan/report.c:636) unix_stream_read_actor (net/unix/af_unix.c:3027) unix_stream_read_generic (net/unix/af_unix.c:2708 net/unix/af_unix.c:2847) unix_stream_recvmsg (net/unix/af_unix.c:3048) sock_recvmsg (net/socket.c:1063 (discriminator 20) net/socket.c:1085 (discriminator 20)) __sys_recvfrom (net/socket.c:2278) __x64_sys_recvfrom (net/socket.c:2291 (discriminator 1) net/socket.c:2287 (discriminator 1) net/socket.c:2287 (discriminator 1)) do_syscall_64 (arch/x86/entry/syscall_64.c:63 (discriminator 1) arch/x86/entry/syscall_64.c:94 (discriminator 1)) entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130) RIP: 0033:0x7f8911fcea06 Code: 5d e8 41 8b 93 08 03 00 00 59 5e 48 83 f8 fc 75 19 83 e2 39 83 fa 08 75 11 e8 26 ff ff ff 66 0f 1f 44 00 00 48 8b 45 10 0f 05 <48> 8b 5d f8 c9 c3 0f 1f 40 00 f3 0f 1e fa 55 48 89 e5 48 83 ec 08 RSP: 002b:00007fffdb0dccb0 EFLAGS: 00000202 ORIG_RAX: 000000000000002d RAX: ffffffffffffffda RBX: 00007fffdb0dcdc8 RCX: 00007f8911fcea06 RDX: 0000000000000001 RSI: 00007f8911a5e060 RDI: 0000000000000006 RBP: 00007fffdb0dccd0 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000001 R11: 0000000000000202 R12: 00007f89119a7d20 R13: ffffffffc4653600 R14: 0000000000000000 R15: 0000000000000000

Allocated by task 315: kasan_save_stack (mm/kasan/common.c:48) kasan_save_track (mm/kasan/common.c:60 (discriminator 1) mm/kasan/common.c:69 (discriminator 1)) __kasan_slab_alloc (mm/kasan/common.c:348) kmem_cache_alloc_ ---truncated---

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

A use-after-free in Linux's AF_UNIX socket implementation occurs when consecutive consumed OOB skbs are left on the recv queue, allowing an attacker to trigger KASAN splat and potential privilege escalation.

Vulnerability

Overview

CVE-2025-38236 is a use-after-free vulnerability in the Linux kernel's af_unix subsystem, specifically in the unix_stream_read_generic() function. The bug arises when consecutive out-of-band (OOB) skbs are consumed by reading OOB data but remain on the receive queue as markers. If a user reads OOB data, the skb holding the data is not removed; it stays to mark the OOB boundary and affect subsequent recv() behavior. When multiple such consumed OOB skbs accumulate, the SO_PEEK_OFF code fails to handle zero-length skbs, leading to an incorrect skb being fetched and freed while still referenced [1][2].

Exploitation and

Impact

To trigger the vulnerability, an attacker would need to send multiple OOB messages on an AF_UNIX stream socket pair and then perform a series of recv() calls that leave consumed OOB skbs on the queue. As described in the kernel commit message, a Python script demonstrates the sequence: sending 'x', 'y', and 'z' with MSG_OOB, reading each OOB byte, and then performing a non-OOB read followed by an OOB read results in accessing a freed skb. This use-after-free manifests as a KASAN slab-out-of-bounds error and could potentially be exploited for local privilege escalation or denial-of-service [2]. Additionally, the ioctl(SIOCATMARK) function does not work correctly with consecutive consumed OOB skbs, indicating further instability [2].

Affected

Products and Mitigation

This vulnerability affects the Linux kernel across many products; for example, Siemens confirms that SIMATIC S7-1500 CPUs (including related ET 200 CPUs and SIPLUS variants) are impacted [1]. The fix, already merged into the stable kernel tree, ensures that when receiving an OOB skb in unix_stream_recv_urg(), any preceding consumed OOB skb is freed immediately, preventing the accumulation of multiple consumed OOB markers [2][3][4]. System administrators should apply the latest kernel updates from their distribution to remediate the issue. No workaround is available beyond patching.

References

AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

Debian/Debian Linux
cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*
Linux/Kernel4 versions
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*+ 3 more
- cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*range: >=5.15,<5.15.194
- cpe:2.3:o:linux:linux_kernel:6.16:rc1:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:6.16:rc2:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:6.16:rc3:*:*:*:*:*:*
Linux/Linux Kernel Rtllm-fuzzy
Range: >= 6.16-rc1 < 6.16-rc1 (future stable)
Linux/Linuxv5
Range: 5.15

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

git.kernel.org/stable/c/32ca245464e1479bfea8592b9db227fdc1641705nvdPatch
git.kernel.org/stable/c/523edfed4f68b7794d85b9ac828c5f8f4442e4c5nvdPatch
git.kernel.org/stable/c/61a9ad7b69ce688697e5f63332f03e17725353bcnvdPatch
git.kernel.org/stable/c/8db4d2d026e6e3649832bfe23b96c4acff0756dbnvdPatch
git.kernel.org/stable/c/a12237865b48a73183df252029ff5065d73d305envdPatch
git.kernel.org/stable/c/fad0a2c16062ac7c606b93166a7ce9d265bab976nvdPatch
lists.debian.org/debian-lts-announce/2025/10/msg00008.htmlnvdMailing ListThird Party Advisory
project-zero.issues.chromium.org/issues/423023990nvdIssue Tracking
cert-portal.siemens.com/productcert/html/ssa-082556.htmlnvd

News mentions

No linked articles in our index yet.

cvss	0.507
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000