CVE-2025-39965 PoC — xfrm: xfrm_alloc_spi shouldn't use 0 as SPI

Source

https://github.com/Shreyas-Penkar/CVE-2025-39965

Associated Vulnerability

Title:xfrm: xfrm_alloc_spi shouldn't use 0 as SPI (CVE-2025-39965)
Description:In the Linux kernel, the following vulnerability has been resolved: xfrm: xfrm_alloc_spi shouldn't use 0 as SPI x->id.spi == 0 means "no SPI assigned", but since commit 94f39804d891 ("xfrm: Duplicate SPI Handling"), we now create states and add them to the byspi list with this value. __xfrm_state_delete doesn't remove those states from the byspi list, since they shouldn't be there, and this shows up as a UAF the next time we go through the byspi list.

Description

PoC for CVE-2025-39965

Readme

## DISCLAIMER
All content provided is for educational and research purposes only. All testing was conducted exclusively on an Linux Kernel Emulator, in a safe, isolated environment. No production systems or devices owned by others were involved or affected during this research. The author assumes no responsibility for any misuse of the information presented or for any damages resulting from its application.

### Blog
https://streypaws.github.io/posts/Dissecting-a-1-Day-Vulnerability-in-Linux-XFRM-Subsystem/

File Snapshot


 [4.0K]  /data/pocs/0f6814158051146976be594c877c4c9292db9a98
├── [ 34K]  LICENSE
├── [1.2K]  Makefile
├── [8.7K]  poc.c
├── [ 12K]  read.c
├── [ 513]  README.md
└── [ 221]  run.sh

1 directory, 6 files

Shenlong Bot has cached this for you

Remarks

1. It is advised to access via the original source first.

2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.

View subscription plans →

Goal Reached Thanks to every supporter — we hit 100%!