CVE-2025-40331

Vulnerability

The Linux kernel's SCTP diagnostic interface contains a time-of-check time-of-use (TOCTOU) vulnerability in the sctp_diag_dump() function, which traverses SCTP endpoints via sctp_for_each_endpoint() and sctp_ep_dump(). The issue occurs when the kernel allocates a buffer based on the current size of the address list, but before the write operation, the list can grow. The buffer can then overflow if the list exceeds the allocated size, leading to an out-of-bounds write [1][2].

Exploitation

The vulnerability is present in the path that does not hold the socket lock during the dump operation, so an unprivileged local attacker can attempt to trigger the race condition. To exploit, the attacker must be able to cause an SCTP endpoint's address list to increase (for example, by adding more addresses to an SCTP association) while a concurrent diagnostic dump is in progress. The attack surface is limited to local access, and no special privileges beyond the ability to create SCTP sockets and trigger diagnostic dumps are required [1][2].

Impact

Successful exploitation allows an attacker to write out-of-bounds relative to the allocated buffer. This can corrupt kernel memory, potentially leading to system instability, denial of service, or escalation of privileges if the attacker can control the data written. The CVE description confirms this as a TOCTOU out-of-bounds write vulnerability [1].

Mitigation

The fix has been applied in the Linux kernel stable branches; the commits referenced in CVE-2025-40331 have been backported to several stable versions [1][2][3]. System administrators should update their kernels to include the fix. No workaround is mentioned for systems that cannot be patched.