CVE-2025-40281

Root

Cause

CVE-2025-40281 is a shift-out-of-bounds vulnerability in the Linux kernel's Stream Control Transmission Protocol (SCTP) implementation, specifically in the function sctp_transport_update_rto. The flaw was introduced by a prior commit that set maximum values for the sysctl parameters rto_alpha and rto_beta to 1000. When user-space configures unusually large values for these sysctl parameters, subsequent shift operations in the RTO update logic can exceed the bounds of a 32-bit unsigned integer, triggering undefined behavior as reported by the kernel's UBSAN tool. The syzbot fuzzer detected the issue with a shift exponent of 64 being too large for unsigned int [1].

Exploitation

An attacker who can modify the rto_alpha or rto_beta sysctl parameters (requires root or privileged access to the SCTP subsystem) can set them to values that cause the shift exponent to become excessively large during RTO calculation. The exploit path begins in sctp_transport_update_rto, called from sctp_check_transmitted in the outqueue processing, which is triggered upon receiving a Selective Acknowledgment (SACK) [1]. No network-based exploitation is possible without first achieving local privileged access to write sysctls.

Impact

Successful exploitation leads to undefined behavior due to the shift-out-of-bounds, which may crash the kernel (denial of service) or potentially be leveraged for other undefined consequences. The attack requires local privileged access to set the sysctl values, limiting its remote exploitability.

Mitigation

The Linux kernel community merged a fix that performs a runtime bounds check on the shift amount before executing the operation, preventing the out-of-bounds shift. The patch also adds READ_ONCE() annotations for the sysctl values, since they can change asynchronously [1]. No workarounds are documented; users should update their kernels to include the fix.