Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2025-38147— calipso: Don't call calipso functions for AF_INET sk.

EPSS 0.10% · P28

Affected Version Matrix 18

VendorProductVersion RangeStatus
LinuxLinuxceba1832b1b2da0149c51de62a847c00bca1677a< fc2da88411470480b8b7e9177e930cedd893cf56affected
ceba1832b1b2da0149c51de62a847c00bca1677a< 0c813dbc851dbf418fdc6dc883fd0592d6c555cdaffected
ceba1832b1b2da0149c51de62a847c00bca1677a< 26ce90f1ce60b0ff587de8d6aec399aa55cab28eaffected
ceba1832b1b2da0149c51de62a847c00bca1677a< c32ebe33626335a536dbbdd09571c06dd9bc1729affected
ceba1832b1b2da0149c51de62a847c00bca1677a< 946bfdfcb76ac2bac5b8526447035885ff41c598affected
ceba1832b1b2da0149c51de62a847c00bca1677a< dd8928897594931d6912ef2f7a43e110b4958d3daffected
ceba1832b1b2da0149c51de62a847c00bca1677a< e2ec310c7a50271843c585e27ef14e48c66ce649affected
ceba1832b1b2da0149c51de62a847c00bca1677a< 6e9f2df1c550ead7cecb3e450af1105735020c92affected
… +10 more rows
Get alerts for future matching vulnerabilitiesLog in to subscribe

I. Basic Information for CVE-2025-38147

Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗

Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.

Vulnerability Title
calipso: Don't call calipso functions for AF_INET sk.
Source: NVD (National Vulnerability Database)
Vulnerability Description
In the Linux kernel, the following vulnerability has been resolved: calipso: Don't call calipso functions for AF_INET sk. syzkaller reported a null-ptr-deref in txopt_get(). [0] The offset 0x70 was of struct ipv6_txoptions in struct ipv6_pinfo, so struct ipv6_pinfo was NULL there. However, this never happens for IPv6 sockets as inet_sk(sk)->pinet6 is always set in inet6_create(), meaning the socket was not IPv6 one. The root cause is missing validation in netlbl_conn_setattr(). netlbl_conn_setattr() switches branches based on struct sockaddr.sa_family, which is passed from userspace. However, netlbl_conn_setattr() does not check if the address family matches the socket. The syzkaller must have called connect() for an IPv6 address on an IPv4 socket. We have a proper validation in tcp_v[46]_connect(), but security_socket_connect() is called in the earlier stage. Let's copy the validation to netlbl_conn_setattr(). [0]: Oops: general protection fault, probably for non-canonical address 0xdffffc000000000e: 0000 [#1] PREEMPT SMP KASAN NOPTI KASAN: null-ptr-deref in range [0x0000000000000070-0x0000000000000077] CPU: 2 UID: 0 PID: 12928 Comm: syz.9.1677 Not tainted 6.12.0 #1 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014 RIP: 0010:txopt_get include/net/ipv6.h:390 [inline] RIP: 0010: Code: 02 00 00 49 8b ac 24 f8 02 00 00 e8 84 69 2a fd e8 ff 00 16 fd 48 8d 7d 70 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <80> 3c 02 00 0f 85 53 02 00 00 48 8b 6d 70 48 85 ed 0f 84 ab 01 00 RSP: 0018:ffff88811b8afc48 EFLAGS: 00010212 RAX: dffffc0000000000 RBX: 1ffff11023715f8a RCX: ffffffff841ab00c RDX: 000000000000000e RSI: ffffc90007d9e000 RDI: 0000000000000070 RBP: 0000000000000000 R08: ffffed1023715f9d R09: ffffed1023715f9e R10: ffffed1023715f9d R11: 0000000000000003 R12: ffff888123075f00 R13: ffff88810245bd80 R14: ffff888113646780 R15: ffff888100578a80 FS: 00007f9019bd7640(0000) GS:ffff8882d2d00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f901b927bac CR3: 0000000104788003 CR4: 0000000000770ef0 PKRU: 80000000 Call Trace: <TASK> calipso_sock_setattr+0x56/0x80 net/netlabel/netlabel_calipso.c:557 netlbl_conn_setattr+0x10c/0x280 net/netlabel/netlabel_kapi.c:1177 selinux_netlbl_socket_connect_helper+0xd3/0x1b0 security/selinux/netlabel.c:569 selinux_netlbl_socket_connect_locked security/selinux/netlabel.c:597 [inline] selinux_netlbl_socket_connect+0xb6/0x100 security/selinux/netlabel.c:615 selinux_socket_connect+0x5f/0x80 security/selinux/hooks.c:4931 security_socket_connect+0x50/0xa0 security/security.c:4598 __sys_connect_file+0xa4/0x190 net/socket.c:2067 __sys_connect+0x12c/0x170 net/socket.c:2088 __do_sys_connect net/socket.c:2098 [inline] __se_sys_connect net/socket.c:2095 [inline] __x64_sys_connect+0x73/0xb0 net/socket.c:2095 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xaa/0x1b0 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f901b61a12d Code: 02 b8 ff ff ff ff c3 66 0f 1f 44 00 00 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007f9019bd6fa8 EFLAGS: 00000246 ORIG_RAX: 000000000000002a RAX: ffffffffffffffda RBX: 00007f901b925fa0 RCX: 00007f901b61a12d RDX: 000000000000001c RSI: 0000200000000140 RDI: 0000000000000003 RBP: 00007f901b701505 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 0000000000000000 R14: 00007f901b5b62a0 R15: 00007f9019bb7000 </TASK> Modules linked in:
Source: NVD (National Vulnerability Database)
CVSS Information
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Type
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Title
Linux kernel 安全漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
Linux kernel是美国Linux基金会的开源操作系统Linux所使用的内核。 Linux kernel存在安全漏洞,该漏洞源于缺少地址族验证,可能导致空指针取消引用。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)

Affected Products

VendorProductAffected VersionsCPESubscribe
LinuxLinux ceba1832b1b2da0149c51de62a847c00bca1677a ~ fc2da88411470480b8b7e9177e930cedd893cf56 -
LinuxLinux 4.8 -

II. Public POCs for CVE-2025-38147

#POC DescriptionSource LinkShenlong Link
AI-Generated POCPremium

No public POC found.

Login to generate AI POC

III. Intelligence Information for CVE-2025-38147

登录查看更多情报信息。

Same Patch Batch · Linux · 2025-07-03 · 78 CVEs total

CVE-2025-38128Bluetooth: MGMT: reject malformed HCI_CMD_SYNC commands
CVE-2025-38126net: stmmac: make sure that ptp_rate is not 0 before configuring timestamping
CVE-2025-38113ACPI: CPPC: Fix NULL pointer dereference when nosmp is used
CVE-2025-38125net: stmmac: make sure that ptp_rate is not 0 before configuring EST
CVE-2025-38124net: fix udp gso skb_segment after pull from frag_list
CVE-2025-38127ice: fix Tx scheduler error handling in XDP callback
CVE-2025-38129page_pool: Fix use-after-free in page_pool_recycle_in_ring
CVE-2025-38130drm/connector: only call HDMI audio helper plugged cb if non-null
CVE-2025-38131coresight: prevent deactivate active config while enabling the config
CVE-2025-38132coresight: holding cscfg_csdev_lock while removing cscfg from csdev
CVE-2025-38122gve: add missing NULL check for gve_alloc_pending_packet() in TX DQO
CVE-2025-38123net: wwan: t7xx: Fix napi rx poll issue
CVE-2025-38121wifi: iwlwifi: mld: avoid panic on init failure
CVE-2025-38119scsi: core: ufs: Fix a hang in the error handler
CVE-2025-38120netfilter: nf_set_pipapo_avx2: fix initial map fill
CVE-2025-38118Bluetooth: MGMT: Fix UAF on mgmt_remove_adv_monitor_complete
CVE-2025-38117Bluetooth: MGMT: Protect mgmt_pending list with its own lock
CVE-2025-38115net_sched: sch_sfq: fix a potential crash on gso_skb handling
CVE-2025-38116wifi: ath12k: fix uaf in ath12k_core_init()
CVE-2025-38114e1000: Move cancel_work_sync to avoid deadlock

Showing top 20 of 78 CVEs. View all on vendor page &rarr; →

IV. Related Vulnerabilities

Same product: Linux
Same vendor: Linux

V. Comments for CVE-2025-38147

No comments yet

Leave a comment