CVE-2025-39797— xfrm: Duplicate SPI Handling
Affected Version Matrix 12
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Linux | Linux | 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2< 3d8090bb53424432fa788fe9a49e8ceca74f0544 | affected |
1da177e4c3f41524e886b7f1b8a0c1fc7321cac2< 2fc5b54368a1bf1d2d74b4d3b8eea5309a653e38 | affected | ||
1da177e4c3f41524e886b7f1b8a0c1fc7321cac2< c67d4e7a8f90fb6361ca89d4d5c9a28f4e935e47 | affected | ||
1da177e4c3f41524e886b7f1b8a0c1fc7321cac2< 29e9158f91f99057dbd35db5e8674d93b38549fe | affected | ||
1da177e4c3f41524e886b7f1b8a0c1fc7321cac2< 94f39804d891cffe4ce17737d295f3b195bc7299 | affected | ||
2.6.12 | affected | ||
< 2.6.12 | unaffected | ||
6.6.103≤ 6.6.* | unaffected | ||
| … +4 more rows | |||
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2025-39797
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
xfrm: Duplicate SPI Handling
Source: NVD (National Vulnerability Database)
Vulnerability Description
In the Linux kernel, the following vulnerability has been resolved: xfrm: Duplicate SPI Handling The issue originates when Strongswan initiates an XFRM_MSG_ALLOCSPI Netlink message, which triggers the kernel function xfrm_alloc_spi(). This function is expected to ensure uniqueness of the Security Parameter Index (SPI) for inbound Security Associations (SAs). However, it can return success even when the requested SPI is already in use, leading to duplicate SPIs assigned to multiple inbound SAs, differentiated only by their destination addresses. This behavior causes inconsistencies during SPI lookups for inbound packets. Since the lookup may return an arbitrary SA among those with the same SPI, packet processing can fail, resulting in packet drops. According to RFC 4301 section 4.4.2 , for inbound processing a unicast SA is uniquely identified by the SPI and optionally protocol. Reproducing the Issue Reliably: To consistently reproduce the problem, restrict the available SPI range in charon.conf : spi_min = 0x10000000 spi_max = 0x10000002 This limits the system to only 2 usable SPI values. Next, create more than 2 Child SA. each using unique pair of src/dst address. As soon as the 3rd Child SA is initiated, it will be assigned a duplicate SPI, since the SPI pool is already exhausted. With a narrow SPI range, the issue is consistently reproducible. With a broader/default range, it becomes rare and unpredictable. Current implementation: xfrm_spi_hash() lookup function computes hash using daddr, proto, and family. So if two SAs have the same SPI but different destination addresses, then they will: a. Hash into different buckets b. Be stored in different linked lists (byspi + h) c. Not be seen in the same hlist_for_each_entry_rcu() iteration. As a result, the lookup will result in NULL and kernel allows that Duplicate SPI Proposed Change: xfrm_state_lookup_spi_proto() does a truly global search - across all states, regardless of hash bucket and matches SPI and proto.
Source: NVD (National Vulnerability Database)
CVSS Information
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Type
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Title
Linux kernel 安全漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
Linux kernel是美国Linux基金会的开源操作系统Linux所使用的内核。 Linux kernel存在安全漏洞,该漏洞源于未正确处理安全参数索引重复问题,可能导致数据包处理失败。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
II. Public POCs for CVE-2025-39797
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2025-39797
请登录查看更多情报信息。
Same Patch Batch · Linux · 2025-09-12 · 7 CVEs total
| CVE-2025-39792 | dm: Always split write BIOs to zoned device limits | |
| CVE-2025-39793 | io_uring/memmap: cast nr_pages to size_t before shifting | |
| CVE-2025-39794 | ARM: tegra: Use I/O memcpy to write to IRAM | |
| CVE-2025-39795 | block: avoid possible overflow for chunk_sectors check in blk_stack_limits() | |
| CVE-2025-39796 | net: lapbether: ignore ops-locked netdevs | |
| CVE-2025-39798 | NFS: Fix the setting of capabilities when automounting a new filesystem |
IV. Related Vulnerabilities
Same product: Linux
- CVE-2026-46333
ptrace: slightly saner 'get_dumpable()' logic - CVE-2026-43490
ksmbd: validate inherited ACE SID length - CVE-2026-43489
liveupdate: luo_file: remember retrieve() status - CVE-2026-43487
ata: libata-core: Disable LPM on ST1000DM010-2EP102 - CVE-2026-43488
usb: xhci: Prevent interrupt storm on host controller error
Same vendor: Linux
- CVE-2026-46333
ptrace: slightly saner 'get_dumpable()' logic - CVE-2026-43490
ksmbd: validate inherited ACE SID length - CVE-2026-43489
liveupdate: luo_file: remember retrieve() status - CVE-2026-43487
ata: libata-core: Disable LPM on ST1000DM010-2EP102 - CVE-2026-43488
usb: xhci: Prevent interrupt storm on host controller error
V. Comments for CVE-2025-39797
No comments yet