VYPR
← All advisories
Unrated severityNVD Advisory· Published Dec 16, 2025· Updated Apr 15, 2026

CVE-2025-40357

CVE-2025-40357

Description

In the Linux kernel, the following vulnerability has been resolved:

net/smc: fix general protection fault in __smc_diag_dump

The syzbot report a crash:

Oops: general protection fault, probably for non-canonical address 0xfbd5a5d5a0000003: 0000 [#1] SMP KASAN NOPTI KASAN: maybe wild-memory-access in range [0xdead4ead00000018-0xdead4ead0000001f] CPU: 1 UID: 0 PID: 6949 Comm: syz.0.335 Not tainted syzkaller #0 PREEMPT(full) Hardware name: Google Compute Engine/Google Compute Engine, BIOS Google 08/18/2025 RIP: 0010:smc_diag_msg_common_fill net/smc/smc_diag.c:44 [inline] RIP: 0010:__smc_diag_dump.constprop.0+0x3ca/0x2550 net/smc/smc_diag.c:89 Call Trace:

smc_diag_dump_proto+0x26d/0x420 net/smc/smc_diag.c:217 smc_diag_dump+0x27/0x90 net/smc/smc_diag.c:234 netlink_dump+0x539/0xd30 net/netlink/af_netlink.c:2327 __netlink_dump_start+0x6d6/0x990 net/netlink/af_netlink.c:2442 netlink_dump_start include/linux/netlink.h:341 [inline] smc_diag_handler_dump+0x1f9/0x240 net/smc/smc_diag.c:251 __sock_diag_cmd net/core/sock_diag.c:249 [inline] sock_diag_rcv_msg+0x438/0x790 net/core/sock_diag.c:285 netlink_rcv_skb+0x158/0x420 net/netlink/af_netlink.c:2552 netlink_unicast_kernel net/netlink/af_netlink.c:1320 [inline] netlink_unicast+0x5a7/0x870 net/netlink/af_netlink.c:1346 netlink_sendmsg+0x8d1/0xdd0 net/netlink/af_netlink.c:1896 sock_sendmsg_nosec net/socket.c:714 [inline] __sock_sendmsg net/socket.c:729 [inline] ____sys_sendmsg+0xa95/0xc70 net/socket.c:2614 ___sys_sendmsg+0x134/0x1d0 net/socket.c:2668 __sys_sendmsg+0x16d/0x220 net/socket.c:2700 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xcd/0x4e0 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f

The process like this:

(CPU1) | (CPU2) ---------------------------------|------------------------------- inet_create() | // init clcsock to NULL | sk = sk_alloc() | | // unexpectedly change clcsock | inet_init_csk_locks() | | // add sk to hash table | smc_inet_init_sock() | smc_sk_init() | smc_hash_sk() | | // traverse the hash table | smc_diag_dump_proto | __smc_diag_dump() | // visit wrong clcsock | smc_diag_msg_common_fill() // alloc clcsock | smc_create_clcsk | sock_create_kern |

With CONFIG_DEBUG_LOCK_ALLOC=y, the smc->clcsock is unexpectedly changed in inet_init_csk_locks(). The INET_PROTOSW_ICSK flag is no need by smc, just remove it.

After removing the INET_PROTOSW_ICSK flag, this patch alse revert commit 6fd27ea183c2 ("net/smc: fix lacks of icsk_syn_mss with IPPROTO_SMC") to avoid casting smc_sock to inet_connection_sock.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

A general protection fault in the Linux kernel's SMC diagnostics (__smc_diag_dump) can be triggered by a race condition when a socket is closed concurrently with a diagnostic dump, leading to a use-after-free.

Vulnerability

CVE-2025-40357 is a use-after-free vulnerability in the Linux kernel's SMC (Shared Memory Communications) diagnostics subsystem. The bug resides in the __smc_diag_dump function, specifically in smc_diag_msg_common_fill, where a race condition between socket creation/closure and a concurrent close and a diagnostic dump can cause the kernel to access freed memory. The issue was discovered by syzbot and manifests as a general protection fault due to a wild memory access [1].

Exploitation

An attacker with local access and the ability to trigger SMC diagnostic dumps (e.g., via netlink sockets) can exploit this race condition. The attack requires precise timing: on one CPU, a socket is being created (e.g., via inet_create), while on another CPU, a diagnostic dump is performed. If the socket is closed before the dump completes, the kernel may dereference a pointer to freed memory, leading to a crash or potentially arbitrary code execution [1].

Impact

Successful exploitation could allow an unprivileged local attacker to cause a denial of service (system crash) or, in some cases, escalate privileges by corrupting kernel memory. The vulnerability is rated with a CVSS score of 7.8 (High) due to the potential for local privilege escalation [1].

Mitigation

The fix is included in the Linux kernel stable tree as commit f584239a9ed25057496bf397c370cc5163dde419. Users should apply the latest kernel updates from their distribution. No workaround is available; patching is the recommended mitigation [1].

References
  1. Making sure you're not a bot!

AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

2
  • Linux/Kernelinferred2 versions
    (expand)+ 1 more
    • (no CPE)
    • (no CPE)

Patches

3
5b6fc95c4a16
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitvia osv
commit
99b5b3faf322
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitvia osv
commit
f584239a9ed2
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitvia osv
commit

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

3

News mentions

0

No linked articles in our index yet.