CVE-2025-40187

Vulnerability

In the Linux kernel's SCTP implementation, a null pointer dereference vulnerability exists in the sctp_sf_do_5_1D_ce() function, which handles incoming COOKIE ECHO chunks during association setup. The bug occurs when new_asoc->peer.adaptation_ind is zero and sctp_ulpevent_make_authkey() returns zero, causing the variable ai_ev to remain zero. This zero value is then passed to sctp_ulpevent_free(), which dereferences it, leading to a kernel crash [1][2][3].

Exploitation

An attacker can trigger this vulnerability by sending a specially crafted COOKIE ECHO chunk to a vulnerable system. No authentication is required, as the SCTP association setup process is initiated before authentication is fully established. The attack can be performed remotely over the network, targeting systems that have the SCTP protocol enabled.

Impact

Successful exploitation results in a denial of service (DoS) condition due to a kernel panic or crash. The vulnerability does not appear to allow arbitrary code execution or privilege escalation, as the dereference of a null pointer typically leads to an immediate system crash.

Mitigation

Mitigation

The vulnerability has been patched in the Linux kernel. Users should apply the latest stable kernel updates to remediate the issue. The fix ensures that ai_ev is properly checked before being passed to sctp_ulpevent_free() [1][2][3].