sctp: prevent possible shift-out-of-bounds in sctp_transport_update_rto

MITRE NVD CVE.ORG JSON API Print: PDF PDF

Summary

CVECVE-2025-40281
StatePUBLISHED
AssignerLinux
Source PriorityCVE Program / NVD first with legacy fallback
Published2025-12-06 22:15:56 UTC
Updated2026-06-02 14:16:33 UTC
DescriptionIn the Linux kernel, the following vulnerability has been resolved: sctp: prevent possible shift-out-of-bounds in sctp_transport_update_rto syzbot reported a possible shift-out-of-bounds [1] Blamed commit added rto_alpha_max and rto_beta_max set to 1000. It is unclear if some sctp users are setting very large rto_alpha and/or rto_beta. In order to prevent user regression, perform the test at run time. Also add READ_ONCE() annotations as sysctl values can change under us. [1] UBSAN: shift-out-of-bounds in net/sctp/transport.c:509:41 shift exponent 64 is too large for 32-bit type 'unsigned int' CPU: 0 UID: 0 PID: 16704 Comm: syz.2.2320 Not tainted syzkaller #0 PREEMPT(full) Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/02/2025 Call Trace: <TASK> __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x16c/0x1f0 lib/dump_stack.c:120 ubsan_epilogue lib/ubsan.c:233 [inline] __ubsan_handle_shift_out_of_bounds+0x27f/0x420 lib/ubsan.c:494 sctp_transport_update_rto.cold+0x1c/0x34b net/sctp/transport.c:509 sctp_check_transmitted+0x11c4/0x1c30 net/sctp/outqueue.c:1502 sctp_outq_sack+0x4ef/0x1b20 net/sctp/outqueue.c:1338 sctp_cmd_process_sack net/sctp/sm_sideeffect.c:840 [inline] sctp_cmd_interpreter net/sctp/sm_sideeffect.c:1372 [inline]

Risk And Classification

EPSS: 0.001170000 probability, percentile 0.300270000 (date 2026-06-08)

Vendor Declared Affected Products

SourceVendorProductVersionPlatforms
CNA Linux Linux affected b58537a1f5629bdc98a8b9dc2051ce0e952f6b4b 0e0413e3315199b23ff4aec295e256034cd0a6e4 git Not specified
CNA Linux Linux affected b58537a1f5629bdc98a8b9dc2051ce0e952f6b4b 834e65be429c0fa4f9bb5945064bd57f18ed2187 git Not specified
CNA Linux Linux affected b58537a1f5629bdc98a8b9dc2051ce0e952f6b4b abb086b9a95d0ed3b757ee59964ba3c4e4b2fc1a git Not specified
CNA Linux Linux affected b58537a1f5629bdc98a8b9dc2051ce0e952f6b4b d0d858652834dcf531342c82a0428170aa7c2675 git Not specified
CNA Linux Linux affected b58537a1f5629bdc98a8b9dc2051ce0e952f6b4b ed71f801249d2350c77a73dca2c03918a15a62fe git Not specified
CNA Linux Linux affected b58537a1f5629bdc98a8b9dc2051ce0e952f6b4b 1cfa4eac275cc4875755c1303d48a4ddfe507ca8 git Not specified
CNA Linux Linux affected b58537a1f5629bdc98a8b9dc2051ce0e952f6b4b aaba523dd7b6106526c24b1fd9b5fc35e5aaa88d git Not specified
CNA Linux Linux affected b58537a1f5629bdc98a8b9dc2051ce0e952f6b4b 1534ff77757e44bcc4b98d0196bc5c0052fce5fa git Not specified
CNA Linux Linux affected 3.16 Not specified
CNA Linux Linux unaffected 3.16 semver Not specified
CNA Linux Linux unaffected 5.4.302 5.4.* semver Not specified
CNA Linux Linux unaffected 5.10.247 5.10.* semver Not specified
CNA Linux Linux unaffected 5.15.197 5.15.* semver Not specified
CNA Linux Linux unaffected 6.1.159 6.1.* semver Not specified
CNA Linux Linux unaffected 6.6.117 6.6.* semver Not specified
CNA Linux Linux unaffected 6.12.59 6.12.* semver Not specified
CNA Linux Linux unaffected 6.17.9 6.17.* semver Not specified
CNA Linux Linux unaffected 6.18 * original_commit_for_fix Not specified
ADP Siemens RUGGEDCOM RST2428P affected V4.0 custom Not specified

References

ReferenceSourceLinkTags
git.kernel.org/stable/c/aaba523dd7b6106526c24b1fd9b5fc35e5aaa88d 416baaa9-dc9f-4396-8d5f-8c081fb06d67 git.kernel.org
git.kernel.org/stable/c/834e65be429c0fa4f9bb5945064bd57f18ed2187 416baaa9-dc9f-4396-8d5f-8c081fb06d67 git.kernel.org
git.kernel.org/stable/c/abb086b9a95d0ed3b757ee59964ba3c4e4b2fc1a 416baaa9-dc9f-4396-8d5f-8c081fb06d67 git.kernel.org
git.kernel.org/stable/c/ed71f801249d2350c77a73dca2c03918a15a62fe 416baaa9-dc9f-4396-8d5f-8c081fb06d67 git.kernel.org
git.kernel.org/stable/c/0e0413e3315199b23ff4aec295e256034cd0a6e4 416baaa9-dc9f-4396-8d5f-8c081fb06d67 git.kernel.org
git.kernel.org/stable/c/d0d858652834dcf531342c82a0428170aa7c2675 416baaa9-dc9f-4396-8d5f-8c081fb06d67 git.kernel.org
cert-portal.siemens.com/productcert/html/ssa-253495.html 0b142b55-0307-4c5a-b3c9-f314f3fb7c5e cert-portal.siemens.com
git.kernel.org/stable/c/1534ff77757e44bcc4b98d0196bc5c0052fce5fa 416baaa9-dc9f-4396-8d5f-8c081fb06d67 git.kernel.org
git.kernel.org/stable/c/1cfa4eac275cc4875755c1303d48a4ddfe507ca8 416baaa9-dc9f-4396-8d5f-8c081fb06d67 git.kernel.org
CVE Program record CVE.ORG www.cve.org canonical
NVD vulnerability detail NVD nvd.nist.gov canonical, analysis
© CVE.report 2026 |

Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.

CVE, CWE, and OVAL are registred trademarks of The MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. This site includes MITRE data granted under the following license.

Free CVE JSON API cve.report/api

CVE.report and Source URL Uptime Status status.cve.report