{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-40240", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2025-04-16T07:20:57.181Z", "datePublished": "2025-12-04T15:31:29.715Z", "dateUpdated": "2026-05-11T21:45:30.172Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2026-05-11T21:45:30.172Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nsctp: avoid NULL dereference when chunk data buffer is missing\n\nchunk->skb pointer is dereferenced in the if-block where it's supposed\nto be NULL only.\n\nchunk->skb can only be NULL if chunk->head_skb is not. Check for frag_list\ninstead and do it just before replacing chunk->skb. We're sure that\notherwise chunk->skb is non-NULL because of outer if() condition."}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["net/sctp/inqueue.c"], "versions": [{"version": "90017accff61ae89283ad9a51f9ac46ca01633fb", "lessThan": "61cda2777b07d27459f5cac5a047c3edf9c8a1a9", "status": "affected", "versionType": "git"}, {"version": "90017accff61ae89283ad9a51f9ac46ca01633fb", "lessThan": "08165c296597075763130919f2aae59b5822f016", "status": "affected", "versionType": "git"}, {"version": "90017accff61ae89283ad9a51f9ac46ca01633fb", "lessThan": "03e80a4b04ef1fb2c61dd63216ab8d3a5dcb196f", "status": "affected", "versionType": "git"}, {"version": "90017accff61ae89283ad9a51f9ac46ca01633fb", "lessThan": "4f6da435fb5d8a21cbf8cae5ca5a2ba0e1012b71", "status": "affected", "versionType": "git"}, {"version": "90017accff61ae89283ad9a51f9ac46ca01633fb", "lessThan": "cb9055ba30306ede4ad920002233d0659982f1cb", "status": "affected", "versionType": "git"}, {"version": "90017accff61ae89283ad9a51f9ac46ca01633fb", "lessThan": "7a832b0f99be19df608cb75c023f8027b1789bd1", "status": "affected", "versionType": "git"}, {"version": "90017accff61ae89283ad9a51f9ac46ca01633fb", "lessThan": "89b465b54227c245ddc7cc9ed822231af21123ef", "status": "affected", "versionType": "git"}, {"version": "90017accff61ae89283ad9a51f9ac46ca01633fb", "lessThan": "441f0647f7673e0e64d4910ef61a5fb8f16bfb82", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["net/sctp/inqueue.c"], "versions": [{"version": "4.8", "status": "affected"}, {"version": "0", "lessThan": "4.8", "status": "unaffected", "versionType": "semver"}, {"version": "5.4.301", "lessThanOrEqual": "5.4.*", "status": "unaffected", "versionType": "semver"}, {"version": "5.10.246", "lessThanOrEqual": "5.10.*", "status": "unaffected", "versionType": "semver"}, {"version": "5.15.196", "lessThanOrEqual": "5.15.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.1.158", "lessThanOrEqual": "6.1.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.6.115", "lessThanOrEqual": "6.6.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.12.56", "lessThanOrEqual": "6.12.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.17.6", "lessThanOrEqual": "6.17.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.18", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.8", "versionEndExcluding": "5.4.301"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.8", "versionEndExcluding": "5.10.246"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.8", "versionEndExcluding": "5.15.196"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.8", "versionEndExcluding": "6.1.158"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.8", "versionEndExcluding": "6.6.115"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.8", "versionEndExcluding": "6.12.56"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.8", "versionEndExcluding": "6.17.6"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.8", "versionEndExcluding": "6.18"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/61cda2777b07d27459f5cac5a047c3edf9c8a1a9"}, {"url": "https://git.kernel.org/stable/c/08165c296597075763130919f2aae59b5822f016"}, {"url": "https://git.kernel.org/stable/c/03e80a4b04ef1fb2c61dd63216ab8d3a5dcb196f"}, {"url": "https://git.kernel.org/stable/c/4f6da435fb5d8a21cbf8cae5ca5a2ba0e1012b71"}, {"url": "https://git.kernel.org/stable/c/cb9055ba30306ede4ad920002233d0659982f1cb"}, {"url": "https://git.kernel.org/stable/c/7a832b0f99be19df608cb75c023f8027b1789bd1"}, {"url": "https://git.kernel.org/stable/c/89b465b54227c245ddc7cc9ed822231af21123ef"}, {"url": "https://git.kernel.org/stable/c/441f0647f7673e0e64d4910ef61a5fb8f16bfb82"}], "title": "sctp: avoid NULL dereference when chunk data buffer is missing", "x_generator": {"engine": "bippy-1.2.0"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nsctp: avoid NULL dereference when chunk data buffer is missing\n\nchunk->skb pointer is dereferenced in the if-block where it's supposed\nto be NULL only.\n\nchunk->skb can only be NULL if chunk->head_skb is not. Check for frag_list\ninstead and do it just before replacing chunk->skb. We're sure that\notherwise chunk->skb is non-NULL because of outer if() condition."}], "id": "CVE-2025-40240", "lastModified": "2026-04-15T00:35:42.020", "metrics": {}, "published": "2025-12-04T16:16:17.100", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/03e80a4b04ef1fb2c61dd63216ab8d3a5dcb196f"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/08165c296597075763130919f2aae59b5822f016"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/441f0647f7673e0e64d4910ef61a5fb8f16bfb82"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/4f6da435fb5d8a21cbf8cae5ca5a2ba0e1012b71"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/61cda2777b07d27459f5cac5a047c3edf9c8a1a9"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/7a832b0f99be19df608cb75c023f8027b1789bd1"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/89b465b54227c245ddc7cc9ed822231af21123ef"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/cb9055ba30306ede4ad920002233d0659982f1cb"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Deferred"}

{"bugzilla": {"description": "kernel: sctp: avoid NULL dereference when chunk data buffer is missing", "id": "2418832", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2418832"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.5", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "status": "draft"}, "cwe": "CWE-476", "details": ["In the Linux kernel, the following vulnerability has been resolved:\nsctp: avoid NULL dereference when chunk data buffer is missing\nchunk->skb pointer is dereferenced in the if-block where it's supposed\nto be NULL only.\nchunk->skb can only be NULL if chunk->head_skb is not. Check for frag_list\ninstead and do it just before replacing chunk->skb. We're sure that\notherwise chunk->skb is non-NULL because of outer if() condition."], "mitigation": {"lang": "en:us", "value": "To mitigate this issue, prevent module sctp from being loaded. Please see https://access.redhat.com/solutions/41278 for how to blacklist a kernel module to prevent it from loading automatically."}, "name": "CVE-2025-40240", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2025-12-04T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2025-40240\nhttps://nvd.nist.gov/vuln/detail/CVE-2025-40240\nhttps://lore.kernel.org/linux-cve-announce/2025120403-CVE-2025-40240-745a@gregkh/T"], "statement": "A missing data buffer (frag_list) in SCTP chunk processing could trigger a NULL pointer dereference when handling GSO packets.\nA remote attacker sending a malformed SCTP packet could cause a kernel crash (DoS).\nThe system is vulnerable only if CONFIG_IP_SCTP enabled in Kernel configuration (and for the Red Hat Enterprise Linux it is always disabled in older versions and enabled as module in latest versions only). However even if module exists in Red Hat Enterprise Linux, still admin need to specially enable it usage (make some SCTP listening port available) before exploitation would be possible.", "threat_severity": "Moderate"}

{}